Hi! On Sun, May 08, 2005 at 08:42:40PM +0200, Martin Quinson wrote: > > Ha, on my system if you can do Alt-SysRq-K, you can do > > Alt-SysRq-U, Alt-SysRq-B, Alt-SysRq-O and so on. > > > > I didn't try to restrict this and don't know whether > > there's a way to do it.
Appears that there are two ways for SAK. The second way does not require "magic SysRq key" and is preferred: > echo "control alt keycode 101 = SAK" | /bin/loadkey You can find this information in kernel sources in Documentation/SAK.txt (as I've done right now ;)). > My opinion is that we could do the following: > > - document in login man page that those keys are the only way to secure the > login when other users have a physical access to the box (with or without > an idea about how to exploit this) This is OK. And this would better be fixed upstream. > - reassign this bug to kernel image for not activating this by default in > debian kernels (or buy me a brain so that I can use it with a official > built kernel) This is not OK, because magic SysRq will allow other [nasty] things besides SAK, and there's a second way for SAK, which works with standard Debian kernels (? -- need to check). Actually, I don't use standard Debian kernels for a very long time... > - maybe change the login program so that it gets mad when it receives the > Alt+SysRq+k key, saying someting like: > > Security issue: Got the Alt+SysRq+k key. Magic SysRq keys are not > compiled into the kernel. You cannot make sure that login is not pished... There's a problem implementing this, because SAK through Alt-SysRq is not the preferred way, and the preferred way does not use a fixed key combination. -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
