ctl-alt-del/secure attention sequence

Bengt Richter bokr at accessone.com
Thu Apr 13 03:12:29 GMT 2000 

At 10:16 2000-04-12 -0400, you wrote:
>
>Bengt,
>
>I hope you will not object that I have CC'd this response to the
>TrustedBSD discussion mailing list.
>
No prob, I just subscribed -- though I couldn't find an archive, so I won't
be able to respond to anything not CC'd to me before that goes into effect.
I guess you won't mind if I CC this likewise, in case someone is interested.

BTW, in my physical environment, the worst risk is that I will swivel on my
chair from the NT keyboard to the BSD one, and my fingers will do ctl-alt-del
to get past the screen saver before I get a chance to think. This has bitten
me several times, so I will configure away the shutdown_nice() next time I
compile the kernel.

Personally, I can't see holding on to the ctl-alt-del => reboot behavior on
the basis that it is expected on a pc. After all, it was expected mostly
because it was needed to make certain legacy OS's easily restartable when
they died. BSD is least as far past that as NT, n'est-ce pas? ;-)
So I would vote for a change in defaults, or at least asking for root
password before doing a reboot.

The latter could be done as a driver kludge, or as part of a general
resource/device assignment/pre-emption control system supporting SAK.
OTTOMH, since the general resource mgt problem is higher level, I would
guess letting the console driver just signal a son-of-init daemon to
manage the job of suspending/detaching the current user of the
display/keyboard and securely attaching a trusted login process might
be a way to go. I suspect that approach could be made to handle setting
aside X activity as well. It would be nice if it could be done without
changing h/w display mode, and allowed clean resumption of the previous
session when you logged out or aborted logging in.

Doing it as a console driver kludge could have an advantage in the marginal
case where the system is too broken to give up the display/keyboard gracefully
and you just want to try shutting down before resetting physically. I could
see
providing this as emergency backup on a second ctl-alt-del if the first didn't
get access to a secure login. One might want to force video text mode for
this.

[...]

>In the standard PC environment, there is a decent argument that access to
>the physical console of the machine already provides the ability to power
>the machine off, and that mapping Ctrl-Alt-Delete to a safe shutdown
>provides unprivileged console users the ability to shut down the machine
>safely given the physical need to.  In its most frequently deployment, I
>see this as an advantage.  This is certainly something that could be
>revisited, but my temptation would be to use an alternative key press to
>invoke a trusted path.

If I haven't convinced you to revisit yet, I'll add that it seems to me
that if you want to let unprivileged console users shut down, you could
change the permissions for the shutdown and reboot commands, or else you
might want to change the message so that it says

/sbin/shutdown: Permission denied -- but try ctl-alt-del ;-)

As it is, even non-users (not having accounts) can press ctl-alt-del at
the login prompt, and reboot. IMHO that shouldn't be default behavior.
It should take a recompile to get that effect, if you want it, not the
other way around. Otherwise there is temporary accidental denial of service
waiting to happen -- for me, anyway. (I hate it when I do that).

Another reason for removing ctl-alt-del as a direct shutdown trigger
is you will probably want to eliminate it if you set up any console
with public physical access (e.g. a demo unit in a store, or a kiosk
type situation). Some cases have power switch locks, and you can bring
the D/K cables through a physical barrier if you have to,
but you can't prevent folks from pressing ctl-alt-del on an ordinary kb.

In short, I can't see any good reason to shutdown_nice() directly from
ctl-alt-del unless you're doing some debugging that makes repeated boots
necessary. In that case, you could recompile to have the feature. Sorry
if I am ranting.

Someone suggested that kbdcontrol might be able to disable ctl-alt-del.
 From a quick skim of the man page it wasn't immediately obvious to me how,
but if so, I think that would have to be changed in order to make ctl-alt-del
a proper SAK (which of course is a different ball game from the default
reboot issue). It would solve my immediate accident-prevention need though :)

Regards,
Bengt Richter


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list