~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/sak.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/security/sak.rst (Version linux-6.12-rc7) and /Documentation/security/sak.rst (Version linux-4.14.336)


  1 =========================================         
  2 Linux Secure Attention Key (SAK) handling         
  3 =========================================         
  4                                                   
  5 :Date: 18 March 2001                              
  6 :Author: Andrew Morton                            
  7                                                   
  8 An operating system's Secure Attention Key is     
  9 provided as protection against trojan password    
 10 is an undefeatable way of killing all programs    
 11 masquerading as login applications.  Users nee    
 12 this key sequence before they log in to the sy    
 13                                                   
 14 From the PC keyboard, Linux has two similar bu    
 15 providing SAK.  One is the ALT-SYSRQ-K sequenc    
 16 this sequence.  It is only available if the ke    
 17 sysrq support.                                    
 18                                                   
 19 The proper way of generating a SAK is to defin    
 20 ``loadkeys``.  This will work whether or not s    
 21 into the kernel.                                  
 22                                                   
 23 SAK works correctly when the keyboard is in ra    
 24 once defined, SAK will kill a running X server    
 25 run level 5, the X server will restart.  This     
 26 happen.                                           
 27                                                   
 28 What key sequence should you use? Well, CTRL-A    
 29 the machine.  CTRL-ALT-BACKSPACE is magical to    
 30 choose CTRL-ALT-PAUSE.                            
 31                                                   
 32 In your rc.sysinit (or rc.local) file, add the    
 33                                                   
 34         echo "control alt keycode 101 = SAK" |    
 35                                                   
 36 And that's it!  Only the superuser may reprogr    
 37                                                   
 38                                                   
 39 .. note::                                         
 40                                                   
 41   1. Linux SAK is said to be not a "true SAK"     
 42      systems which implement C2 level security    
 43      know why.                                    
 44                                                   
 45                                                   
 46   2. On the PC keyboard, SAK kills all applica    
 47      /dev/console opened.                         
 48                                                   
 49      Unfortunately this includes a number of t    
 50      actually want killed.  This is because th    
 51      incorrectly holding /dev/console open.  B    
 52      Linux distributor about this!                
 53                                                   
 54      You can identify processes which will be     
 55      command::                                    
 56                                                   
 57         # ls -l /proc/[0-9]*/fd/* | grep conso    
 58         l-wx------    1 root     root             
 59                                                   
 60      Then::                                       
 61                                                   
 62         # ps aux|grep 579                         
 63         root       579  0.0  0.1  1088  436 ?     
 64                                                   
 65      So ``gpm`` will be killed by SAK.  This i    
 66      be closing standard input.  You can work     
 67      initscript which launches gpm and changin    
 68                                                   
 69      Old::                                        
 70                                                   
 71         daemon gpm                                
 72                                                   
 73      New::                                        
 74                                                   
 75         daemon gpm < /dev/null                    
 76                                                   
 77      Vixie cron also seems to have this proble    
 78                                                   
 79      Also, one prominent Linux distribution ha    
 80      lines in its rc.sysinit and rc scripts::     
 81                                                   
 82         exec 3<&0                                 
 83         exec 4>&1                                 
 84         exec 5>&2                                 
 85                                                   
 86      These commands cause **all** daemons whic    
 87      initscripts to have file descriptors 3, 4    
 88      /dev/console.  So SAK kills them all.  A     
 89      delete these lines, but this may cause sy    
 90      applications to malfunction - test everyt    
 91                                                   
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php