| Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | Linux 2.4.2 Secure Attention Key (SAK) handling |
| 2 | 18 March 2001, Andrew Morton <akpm@osdl.org> |
| 3 | |
| 4 | An operating system's Secure Attention Key is a security tool which is |
| 5 | provided as protection against trojan password capturing programs. It |
| 6 | is an undefeatable way of killing all programs which could be |
| 7 | masquerading as login applications. Users need to be taught to enter |
| 8 | this key sequence before they log in to the system. |
| 9 | |
| 10 | From the PC keyboard, Linux has two similar but different ways of |
| 11 | providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use |
| 12 | this sequence. It is only available if the kernel was compiled with |
| 13 | sysrq support. |
| 14 | |
| 15 | The proper way of generating a SAK is to define the key sequence using |
| 16 | `loadkeys'. This will work whether or not sysrq support is compiled |
| 17 | into the kernel. |
| 18 | |
| 19 | SAK works correctly when the keyboard is in raw mode. This means that |
| 20 | once defined, SAK will kill a running X server. If the system is in |
| 21 | run level 5, the X server will restart. This is what you want to |
| 22 | happen. |
| 23 | |
| 24 | What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot |
| 25 | the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll |
| 26 | choose CTRL-ALT-PAUSE. |
| 27 | |
| 28 | In your rc.sysinit (or rc.local) file, add the command |
| 29 | |
| 30 | echo "control alt keycode 101 = SAK" | /bin/loadkeys |
| 31 | |
| 32 | And that's it! Only the superuser may reprogram the SAK key. |
| 33 | |
| 34 | |
| 35 | NOTES |
| 36 | ===== |
| 37 | |
| 38 | 1: Linux SAK is said to be not a "true SAK" as is required by |
| 39 | systems which implement C2 level security. This author does not |
| 40 | know why. |
| 41 | |
| 42 | |
| 43 | 2: On the PC keyboard, SAK kills all applications which have |
| 44 | /dev/console opened. |
| 45 | |
| 46 | Unfortunately this includes a number of things which you don't |
| 47 | actually want killed. This is because these applications are |
| 48 | incorrectly holding /dev/console open. Be sure to complain to your |
| 49 | Linux distributor about this! |
| 50 | |
| 51 | You can identify processes which will be killed by SAK with the |
| 52 | command |
| 53 | |
| 54 | # ls -l /proc/[0-9]*/fd/* | grep console |
| 55 | l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console |
| 56 | |
| 57 | Then: |
| 58 | |
| 59 | # ps aux|grep 579 |
| 60 | root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2 |
| 61 | |
| 62 | So `gpm' will be killed by SAK. This is a bug in gpm. It should |
| 63 | be closing standard input. You can work around this by finding the |
| 64 | initscript which launches gpm and changing it thusly: |
| 65 | |
| 66 | Old: |
| 67 | |
| 68 | daemon gpm |
| 69 | |
| 70 | New: |
| 71 | |
| 72 | daemon gpm < /dev/null |
| 73 | |
| 74 | Vixie cron also seems to have this problem, and needs the same treatment. |
| 75 | |
| 76 | Also, one prominent Linux distribution has the following three |
| 77 | lines in its rc.sysinit and rc scripts: |
| 78 | |
| 79 | exec 3<&0 |
| 80 | exec 4>&1 |
| 81 | exec 5>&2 |
| 82 | |
| 83 | These commands cause *all* daemons which are launched by the |
| 84 | initscripts to have file descriptors 3, 4 and 5 attached to |
| 85 | /dev/console. So SAK kills them all. A workaround is to simply |
| 86 | delete these lines, but this may cause system management |
| 87 | applications to malfunction - test everything well. |
| 88 | |