Eric Lee / smarc-fsl-linux-kernel

Blame view

Documentation/SAK.txt 2.85 KB
edit raw normal view history
1da177e4c   Linus Torvalds   Linux-2.6.12-rc2 
1
 
  Linux 2.4.2 Secure Attention Key (SAK) handling
e1f8e8744   Francois Cami   Remove Andrew Mor... 
2
 
  18 March 2001, Andrew Morton
1da177e4c   Linus Torvalds   Linux-2.6.12-rc2 
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
  
  An operating system's Secure Attention Key is a security tool which is
  provided as protection against trojan password capturing programs.  It
  is an undefeatable way of killing all programs which could be
  masquerading as login applications.  Users need to be taught to enter
  this key sequence before they log in to the system.
  
  From the PC keyboard, Linux has two similar but different ways of
  providing SAK.  One is the ALT-SYSRQ-K sequence.  You shouldn't use
  this sequence.  It is only available if the kernel was compiled with
  sysrq support.
  
  The proper way of generating a SAK is to define the key sequence using
  `loadkeys'.  This will work whether or not sysrq support is compiled
  into the kernel.
  
  SAK works correctly when the keyboard is in raw mode.  This means that
  once defined, SAK will kill a running X server.  If the system is in
  run level 5, the X server will restart.  This is what you want to
  happen.
  
  What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
  the machine.  CTRL-ALT-BACKSPACE is magical to the X server.  We'll
  choose CTRL-ALT-PAUSE.
  
  In your rc.sysinit (or rc.local) file, add the command
  
  	echo "control alt keycode 101 = SAK" | /bin/loadkeys
  
  And that's it!  Only the superuser may reprogram the SAK key.
  
  
  NOTES
  =====
  
  1: Linux SAK is said to be not a "true SAK" as is required by
     systems which implement C2 level security.  This author does not
     know why.
  
  
  2: On the PC keyboard, SAK kills all applications which have
     /dev/console opened.
  
     Unfortunately this includes a number of things which you don't
     actually want killed.  This is because these applications are
     incorrectly holding /dev/console open.  Be sure to complain to your
     Linux distributor about this!
  
     You can identify processes which will be killed by SAK with the
     command
  
  	# ls -l /proc/[0-9]*/fd/* | grep console
  	l-wx------    1 root     root           64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
  
     Then:
  
  	# ps aux|grep 579
  	root       579  0.0  0.1  1088  436 ?        S    00:43   0:00 gpm -t ps/2
  
     So `gpm' will be killed by SAK.  This is a bug in gpm.  It should
     be closing standard input.  You can work around this by finding the
     initscript which launches gpm and changing it thusly:
  
     Old:
  
  	daemon gpm
  
     New:
  
  	daemon gpm < /dev/null
  
     Vixie cron also seems to have this problem, and needs the same treatment.
  
     Also, one prominent Linux distribution has the following three
     lines in its rc.sysinit and rc scripts:
  
  	exec 3<&0
  	exec 4>&1
  	exec 5>&2
  
     These commands cause *all* daemons which are launched by the
     initscripts to have file descriptors 3, 4 and 5 attached to
     /dev/console.  So SAK kills them all.  A workaround is to simply
     delete these lines, but this may cause system management
     applications to malfunction - test everything well.