~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/security/sak.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/security/sak.rst (Version linux-6.12-rc7) and /Documentation/security/sak.rst (Version linux-6.5.13)


  1 =========================================           1 =========================================
  2 Linux Secure Attention Key (SAK) handling           2 Linux Secure Attention Key (SAK) handling
  3 =========================================           3 =========================================
  4                                                     4 
  5 :Date: 18 March 2001                                5 :Date: 18 March 2001
  6 :Author: Andrew Morton                              6 :Author: Andrew Morton
  7                                                     7 
  8 An operating system's Secure Attention Key is       8 An operating system's Secure Attention Key is a security tool which is
  9 provided as protection against trojan password      9 provided as protection against trojan password capturing programs.  It
 10 is an undefeatable way of killing all programs     10 is an undefeatable way of killing all programs which could be
 11 masquerading as login applications.  Users nee     11 masquerading as login applications.  Users need to be taught to enter
 12 this key sequence before they log in to the sy     12 this key sequence before they log in to the system.
 13                                                    13 
 14 From the PC keyboard, Linux has two similar bu     14 From the PC keyboard, Linux has two similar but different ways of
 15 providing SAK.  One is the ALT-SYSRQ-K sequenc     15 providing SAK.  One is the ALT-SYSRQ-K sequence.  You shouldn't use
 16 this sequence.  It is only available if the ke     16 this sequence.  It is only available if the kernel was compiled with
 17 sysrq support.                                     17 sysrq support.
 18                                                    18 
 19 The proper way of generating a SAK is to defin     19 The proper way of generating a SAK is to define the key sequence using
 20 ``loadkeys``.  This will work whether or not s     20 ``loadkeys``.  This will work whether or not sysrq support is compiled
 21 into the kernel.                                   21 into the kernel.
 22                                                    22 
 23 SAK works correctly when the keyboard is in ra     23 SAK works correctly when the keyboard is in raw mode.  This means that
 24 once defined, SAK will kill a running X server     24 once defined, SAK will kill a running X server.  If the system is in
 25 run level 5, the X server will restart.  This      25 run level 5, the X server will restart.  This is what you want to
 26 happen.                                            26 happen.
 27                                                    27 
 28 What key sequence should you use? Well, CTRL-A     28 What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
 29 the machine.  CTRL-ALT-BACKSPACE is magical to     29 the machine.  CTRL-ALT-BACKSPACE is magical to the X server.  We'll
 30 choose CTRL-ALT-PAUSE.                             30 choose CTRL-ALT-PAUSE.
 31                                                    31 
 32 In your rc.sysinit (or rc.local) file, add the     32 In your rc.sysinit (or rc.local) file, add the command::
 33                                                    33 
 34         echo "control alt keycode 101 = SAK" |     34         echo "control alt keycode 101 = SAK" | /bin/loadkeys
 35                                                    35 
 36 And that's it!  Only the superuser may reprogr     36 And that's it!  Only the superuser may reprogram the SAK key.
 37                                                    37 
 38                                                    38 
 39 .. note::                                          39 .. note::
 40                                                    40 
 41   1. Linux SAK is said to be not a "true SAK"      41   1. Linux SAK is said to be not a "true SAK" as is required by
 42      systems which implement C2 level security     42      systems which implement C2 level security.  This author does not
 43      know why.                                     43      know why.
 44                                                    44 
 45                                                    45 
 46   2. On the PC keyboard, SAK kills all applica     46   2. On the PC keyboard, SAK kills all applications which have
 47      /dev/console opened.                          47      /dev/console opened.
 48                                                    48 
 49      Unfortunately this includes a number of t     49      Unfortunately this includes a number of things which you don't
 50      actually want killed.  This is because th     50      actually want killed.  This is because these applications are
 51      incorrectly holding /dev/console open.  B     51      incorrectly holding /dev/console open.  Be sure to complain to your
 52      Linux distributor about this!                 52      Linux distributor about this!
 53                                                    53 
 54      You can identify processes which will be      54      You can identify processes which will be killed by SAK with the
 55      command::                                     55      command::
 56                                                    56 
 57         # ls -l /proc/[0-9]*/fd/* | grep conso     57         # ls -l /proc/[0-9]*/fd/* | grep console
 58         l-wx------    1 root     root              58         l-wx------    1 root     root           64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
 59                                                    59 
 60      Then::                                        60      Then::
 61                                                    61 
 62         # ps aux|grep 579                          62         # ps aux|grep 579
 63         root       579  0.0  0.1  1088  436 ?      63         root       579  0.0  0.1  1088  436 ?        S    00:43   0:00 gpm -t ps/2
 64                                                    64 
 65      So ``gpm`` will be killed by SAK.  This i     65      So ``gpm`` will be killed by SAK.  This is a bug in gpm.  It should
 66      be closing standard input.  You can work      66      be closing standard input.  You can work around this by finding the
 67      initscript which launches gpm and changin     67      initscript which launches gpm and changing it thusly:
 68                                                    68 
 69      Old::                                         69      Old::
 70                                                    70 
 71         daemon gpm                                 71         daemon gpm
 72                                                    72 
 73      New::                                         73      New::
 74                                                    74 
 75         daemon gpm < /dev/null                     75         daemon gpm < /dev/null
 76                                                    76 
 77      Vixie cron also seems to have this proble     77      Vixie cron also seems to have this problem, and needs the same treatment.
 78                                                    78 
 79      Also, one prominent Linux distribution ha     79      Also, one prominent Linux distribution has the following three
 80      lines in its rc.sysinit and rc scripts::      80      lines in its rc.sysinit and rc scripts::
 81                                                    81 
 82         exec 3<&0                                  82         exec 3<&0
 83         exec 4>&1                                  83         exec 4>&1
 84         exec 5>&2                                  84         exec 5>&2
 85                                                    85 
 86      These commands cause **all** daemons whic     86      These commands cause **all** daemons which are launched by the
 87      initscripts to have file descriptors 3, 4     87      initscripts to have file descriptors 3, 4 and 5 attached to
 88      /dev/console.  So SAK kills them all.  A      88      /dev/console.  So SAK kills them all.  A workaround is to simply
 89      delete these lines, but this may cause sy     89      delete these lines, but this may cause system management
 90      applications to malfunction - test everyt     90      applications to malfunction - test everything well.
 91                                                    91 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php