From nobody@FreeBSD.org Sat Apr 7 16:41:51 2001 Return-Path: Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 95E1237B424 for ; Sat, 7 Apr 2001 16:41:50 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f37Nfok72061; Sat, 7 Apr 2001 16:41:50 -0700 (PDT) (envelope-from nobody) Message-Id: <200104072341.f37Nfok72061@freefall.freebsd.org> Date: Sat, 7 Apr 2001 16:41:50 -0700 (PDT) From: davidx@viasoft.com.cn To: freebsd-gnats-submit@FreeBSD.org Subject: ctrl+alt+del --- normal user can reboot machine X-Send-Pr-Version: www-1.0 >Number: 26416 >Category: kern >Synopsis: ctrl+alt+del --- normal user can reboot machine >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 07 16:50:01 PDT 2001 >Closed-Date: Sat Apr 7 17:14:43 PDT 2001 >Last-Modified: Mon Apr 9 01:00:01 PDT 2001 >Originator: David Xu >Release: FreeBSD 4.3RC >Organization: Viasoft >Environment: All FreeBSD versions. >Description: a normal user can login console and press ctrl+alt+del to reboot machine, there is no way to disable this action even it is what root want. a root user can load a tweaked keyboard map to disable ctrl+alt+del, but a normal user can still load another keyboard map to re-enable ctrl+alt+del. this is a security problem. >How-To-Repeat: login console via normal user, load a bootable keyboard map, press ctrl+alt+del, kick root away. >Fix: options: 1. disable normal user to load a keyboard map, but if it is a user owned pc, it is kibitzed. 2. normal user presses ctrl+alt+del has no effect, but if it is a user owned pc, this is also kibitzed. 3. final solution, add a sysctl item to let root user enable/disable ctrl+alt+del. >Release-Note: >Audit-Trail: From: David Taylor To: davidx@viasoft.com.cn Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: Sun, 8 Apr 2001 01:01:03 +0100 --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 07 Apr 2001, davidx@viasoft.com.cn wrote: > >Description: > a normal user can login console and press ctrl+alt+del to reboot > machine, there is no way to disable this action even it is what=20 > root want. a root user can load a tweaked keyboard map to disable > ctrl+alt+del, but a normal user can still load another keyboard map > to re-enable ctrl+alt+del. this is a security problem. Not strictly true: options SC_DISABLE_REBOOT # disable reboot key sequence = =20 in the kernel config will disable ctrl+alt+del entirely. > options: > 1. disable normal user to load a keyboard map, but if it is a user=20 > owned pc, it is kibitzed. > 2. normal user presses ctrl+alt+del has no effect, but if it is=20 > a user owned pc, this is also kibitzed.=20 > 3. final solution, add a sysctl item to let root user enable/disable=20 > ctrl+alt+del. >=20 IMNSHO, a sysctl to disable c+a+d, and to disable normal users loading new keymaps (i.e. two seperate sysctls), would be a good idea.. --=20 David Taylor davidt@yadt.co.uk --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6z6o+fIqKXSsJ/xERAguNAJ9911BDw862AfSQ3kzfVItUr33CygCeJWHQ Res0PlbIhtYSrcXq6uhM7NE= =CcmM -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- State-Changed-From-To: open->closed State-Changed-By: billf State-Changed-When: Sat Apr 7 17:14:43 PDT 2001 State-Changed-Why: As explained on the mailing list by phk, this is provided as a kernel option and can also be controlled by keyboard mappings. If the machine is going to be used by untrusted users at the console, the kernel option is a good idea. Providing a sysctl to allow ctrl-alt-del and then changing that sysctl and pressing ctrl-alt-del to reboot a machine is the long way of typing 'reboot'. http://www.freebsd.org/cgi/query-pr.cgi?pr=26416 From: Dima Dorfman To: davidx@viasoft.com.cn Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: Sat, 07 Apr 2001 17:23:58 -0700 davidx@viasoft.com.cn writes: > >Description: > a normal user can login console and press ctrl+alt+del to reboot > machine, there is no way to disable this action even it is what > root want. a root user can load a tweaked keyboard map to disable > ctrl+alt+del, but a normal user can still load another keyboard map > to re-enable ctrl+alt+del. this is a security problem. A normal user can also plant an explosive device next to the computer and blow it up. They can also throw a grenade. Failing that, they can rip the computer off the rack (or table) and throw it out a window. If you don't have a window, they can throw it against a wall. Heck, they can just push the power button! What do you expect FreeBSD to do about that? In other words, I don't think this is a security hole. There are bigger problems when a user has console access. A reboot via the three-finger-salute is but a minor detail. Also, as someone has already pointed out, there is a kernel option to disable this. Since it's not something you would want to be turning on and off on a regular basis, there's no need for a sysctl. Regards, Dima Dorfman dima@unixfreak.org From: Dag-Erling Smorgrav To: davidx@viasoft.com.cn Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: 09 Apr 2001 03:06:08 +0200 davidx@viasoft.com.cn writes: > a normal user can login console and press ctrl+alt+del to reboot > machine [...] Yes. It's a feature. In the unhappy circumstance where you actually have to give users access to the console, and one of them figures the box needs a reboot 'cause it's too slow to his taste or something, what would you rather have him press: Ctrl-Alt-Del, or the reset button? DES -- Dag-Erling Smorgrav - des@ofug.org From: Will Andrews To: Dag-Erling Smorgrav Cc: FreeBSD GNATS DB Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: Sun, 8 Apr 2001 20:22:24 -0500 On Sun, Apr 08, 2001 at 06:10:03PM -0700, Dag-Erling Smorgrav wrote: > Yes. It's a feature. In the unhappy circumstance where you actually > have to give users access to the console, and one of them figures the > box needs a reboot 'cause it's too slow to his taste or something, > what would you rather have him press: Ctrl-Alt-Del, or the reset > button? Hear, hear. -- wca From: "David Xu" To: "Dag-Erling Smorgrav" Cc: Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: Mon, 9 Apr 2001 10:27:15 +0800 DQotLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tIA0KRnJvbTogIkRhZy1FcmxpbmcgU21vcmdy YXYiIDxkZXNAb2Z1Zy5vcmc+DQpUbzogPGRhdmlkeEB2aWFzb2Z0LmNvbS5jbj4NCkNjOiA8ZnJl ZWJzZC1nbmF0cy1zdWJtaXRARnJlZUJTRC5PUkc+DQpTZW50OiBNb25kYXksIEFwcmlsIDA5LCAy MDAxIDk6MDYgQU0NClN1YmplY3Q6IFJlOiBrZXJuLzI2NDE2OiBjdHJsK2FsdCtkZWwgLS0tIG5v cm1hbCB1c2VyIGNhbiByZWJvb3QgbWFjaGluZQ0KDQoNCj4gZGF2aWR4QHZpYXNvZnQuY29tLmNu IHdyaXRlczoNCj4gPiBhIG5vcm1hbCB1c2VyIGNhbiBsb2dpbiBjb25zb2xlIGFuZCBwcmVzcyBj dHJsK2FsdCtkZWwgdG8gcmVib290DQo+ID4gbWFjaGluZSBbLi4uXQ0KPiANCj4gWWVzLiAgSXQn cyBhIGZlYXR1cmUuICBJbiB0aGUgdW5oYXBweSBjaXJjdW1zdGFuY2Ugd2hlcmUgeW91IGFjdHVh bGx5DQo+IGhhdmUgdG8gZ2l2ZSB1c2VycyBhY2Nlc3MgdG8gdGhlIGNvbnNvbGUsIGFuZCBvbmUg b2YgdGhlbSBmaWd1cmVzIHRoZQ0KPiBib3ggbmVlZHMgYSByZWJvb3QgJ2NhdXNlIGl0J3MgdG9v IHNsb3cgdG8gaGlzIHRhc3RlIG9yIHNvbWV0aGluZywNCj4gd2hhdCB3b3VsZCB5b3UgcmF0aGVy IGhhdmUgaGltIHByZXNzOiBDdHJsLUFsdC1EZWwsIG9yIHRoZSByZXNldA0KPiBidXR0b24/DQo+ IA0KPiBERVMNCj4gLS0gDQo+IERhZy1FcmxpbmcgU21vcmdyYXYgLSBkZXNAb2Z1Zy5vcmcNCg0K d2VsbCwgIGlmIGEgbm9ybWFsIHVzZXIgY2FuIG5vdCBleGVjdXRlICJyZWJvb3QiIGNvbW1hbmQs ICB3aHkgZG9lcyBGQlNEDQphbGxvdyBoaW0gdG8gcHJlc3MgY3RybCthbHQrZGVsPyBpdCBpcyBv YnZpb3VzbHkgaW5jb25zaXN0ZW50LiAgYSBzeXNjdGwgdG8gZW5hYmxlL2Rpc2FibGUNCnRoaXMg YWN0aW9uIGJ5IHJvb3QgaXMgbmVlZGVkLiAgd2UgaGF2ZSBhIHdlYiBzZXJ2ZXIgYXQgSVNQIGRh dGEgY2VudGVyIHJvb20sIA0Kb3VyIG9mZmljZSBoYXMgYSBsb25nIGRpc3RhbmNlIHRvIHRoZW0s IHNvIHdlIHVzZSBzc2ggdG8gcmVtb3RseSBtYWludGFpbiBzZXJ2ZXIsIA0Kc29tZXRpbWVzIHdl IG5lZWQgZ3V5cyBhdCBJU1AgaGVscCB1cyB0byBwcmVzcyBjdHJsK2FsdCtkZWwgcmVib290IG1h Y2hpbmUsICBidXQgbW9zdA0KdGltZSB3ZSBkb24ndCBhbGxvdyB0aGVtIHRvIHJlYm9vdCwgIHdl IHVzZSBzeXNjdGwgdG8gZGlzYWJsZSB0aGlzIGFjdGlvbiwgIGZvciBzb21lIHJlYXNvbnMNCndl IGRvbid0IHVzZSByZWJvb3QgY29tbWFuZC4gd2UgaGF2ZSBoYWNrZWQgc3lzY29ucyBzb3VyY2Ug Y29kZSwgYWRkZWQgdGhpcyBmZWF0dXJlLA0KYXQgbGVhc3QsICBpdCB3b3JrcyB3ZWxsLCBidXQg dW5mb3J0dW5hdGx5LCBldmVyeSB0aW1lIGEgY3ZzdXAgd2lsbCBvdmVyd3JpdGUgb3VyIHNvdXJj ZSBjb2RlLA0KSSBuZWVkIHJlLXBhdGNoIGl0IGFnYWluLCAgSSBoYXRlIHRvIGRvIGl0IGFnYWlu IGFuZCBhZ2FpbiwgIHNvIG15IHJlcXVlc3QgZ29lcyBvdXQuDQoNClJlZ2FyZHMsDQotLS0NCkRh dmlkIFh1DQoNCg== From: Dag-Erling Smorgrav To: "David Xu" Cc: Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine Date: 09 Apr 2001 09:49:23 +0200 "David Xu" writes: > well, if a normal user can not execute "reboot" command, why does FBSD > allow him to press ctrl+alt+del? it is obviously inconsistent. No. There is a fundamental difference between the reboot(8) command and Ctrl+Alt+Del: the latter is only available to the user sitting at the console. > we have hacked syscons source code, added this feature, at least, it > works well, but unfortunatly, every time a cvsup will overwrite our > source code, I need re-patch it again, I hate to do it again and > again, so my request goes out. There are several documented ways of preventing cvsup from overwriting modified files (one of which is to use cvs instead). Also, I see no mention of a patch anywhere in your PR. DES -- Dag-Erling Smorgrav - des@ofug.org >Unformatted: