Looks like it is easy to log keystrokes of all processes of the same user. A basic keylogger is 'xinput'.
xinput test-xi2
The command generates log of all key-presses. Unfortunately, this includes passwords in gnome-terminal. Googling suggested that grabbing keyboard may prevent other windows from capturing key strokes.
Is there a way to prevent XI2 logging in gnome-terminal? Or is there an X terminal that has this feature?
It's not possible as any keystrokes passed on to the X server, will be available for xinput/any arbitrary program. (In fact, it's part of the design). New display servers like Wayland and Mir are fixing such security problems in X. The only real solution would be to use Wayland or Mir instead of X. This blog post details this issue.
Not really. Even if you somehow manage to grab the keyboard within X (I don't know whether this is even possible, I doubt that), a keylogger utility running as root will always have access to the keyboard.
As others said here, it's not possible to protect only a program like gnome-terminal or other terminal from key logging, only if you restrict standard users to execute any key logger or if you stop/pause any key logger process.
Next I will show you how you can do these in case of xinput command, but the same methods can be used for any other key logger. If a key logger uses xinput command, it is not necessary to apply the method upon it as long as you apply it upon xinput.
xinput commandYou can restrict standard users to use xinput command using the following command:
sudo chmod go-x /usr/bin/xinput
xinput command with test-xi2 argumentYou can restrict standard users to use xinput command with test-xi2 argument by writing a wrapper for this command. To do this, go in terminal and follow the instructions below:
Get root privileges:
sudo -i
Move xinput file in another directory which is not in any user's PATH (for example /opt):
mv /usr/bin/xinput /new/path/to/xinput
Create your wrapper for xinput command in /usr/bin:
gedit /usr/bin/xinput
Add the following script inside:
#!/bin/bash
if [ "$@" != "${@/test-xi2/}" -a "$(whoami)" != "root" ]; then
echo "`basename $0` $@: Permission denied"
else
/new/path/to/xinput $@
fi
Save the file and close it.
Make the new wrapper executable:
chmod +x /usr/bin/xinput
While first method is safety, using second method, the user may still circumvent it by calling the original xinput directly if he know its new location.
xinput processYou can stop or pause any xinput process before to enter a password or anything else that you don't want to be logged. To do this, add the following bash function at the end of your ~/.bashrc file:
processof () {
xinput_pids=" $(pidof $1) "
if [ "$xinput_pids" = " " ]; then
echo "Nothing to stop/pause/continue. $1: no such process!"
return
fi
for pid in $xinput_pids; do
case $2 in
"stop")
kill $pid
echo "$1: stopped"
;;
"pause")
kill -stop $pid
echo "$1: paused"
;;
"continue")
kill -cont $pid
echo "$1: continue"
;;
*)
echo "$1 is runnig"
;;
esac
done
}
Now, after you reopen your terminal, anytime you want, using this function you can:
stop/kill all xinput processes:
processof xinput stop
pause all xinput processes:
processof xinput pause
resume all xinput processes:
processof xinput continue
In fact, with this function you can stop/pause any process do you wish before to do something (such as entering the password):
processof [process_name] [stop|pause|continue]If you don't know how to detect how to detect an active keylogger on your system, see:
These methods maybe are not the best solutions, but I hope to give you an idea about what you can do...
