From owner-freebsd-current  Sat Aug 18  1: 1:58 2001
Delivered-To: freebsd-current@freebsd.org
Received: from nasu.utsunomiya-u.ac.jp (nasu.utsunomiya-u.ac.jp [160.12.128.3])
	by hub.freebsd.org (Postfix) with ESMTP id 620F437B412
	for <freebsd-current@freebsd.org>; Sat, 18 Aug 2001 01:01:49 -0700 (PDT)
	(envelope-from yokota@zodiac.mech.utsunomiya-u.ac.jp)
Received: from nantai.utsunomiya-u.ac.jp by nasu.utsunomiya-u.ac.jp (8.11.2/1.1.29.3/26Jan01-1134AM)
	id f7I81fc344122; Sat, 18 Aug 2001 17:01:41 +0900 (JST)
Received: from zodiac.mech.utsunomiya-u.ac.jp by nantai.utsunomiya-u.ac.jp (8.11.2/1.1.29.3/30Jan01-0241PM)
	id f7I81fK140962; Sat, 18 Aug 2001 17:01:41 +0900 (JST)
Received: from zodiac.mech.utsunomiya-u.ac.jp (IDENT:MxP+GOqMsd26qZNECj1N6duaJ9cpPXnx@zodiac.mech.utsunomiya-u.ac.jp [160.12.43.7])
	by zodiac.mech.utsunomiya-u.ac.jp (8.9.3+3.2W/3.7W/zodiac-May2000) with ESMTP id RAA16102;
	Sat, 18 Aug 2001 17:11:21 +0900 (JST)
Message-Id: <200108180811.RAA16102@zodiac.mech.utsunomiya-u.ac.jp>
To: freebsd-current@freebsd.org
Cc: yokota@zodiac.mech.utsunomiya-u.ac.jp
Subject: Disabling harmful keys (was: Re: PATCH: syscons.c sysctl for PC-Reboo
	 Keys)
Date: Sat, 18 Aug 2001 17:11:20 +0900
From: Kazutaka YOKOTA <yokota@zodiac.mech.utsunomiya-u.ac.jp>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

I posted the following message in the stable ML the other day, but got
no response.  So, I will post it here again.

Please follow the thread "PATCH: syscons.c sysctl for PC-Reboo Keys"
in the stable ML for background information on this subject.

Kazu

------------------------------------------------------------------------
As we have seen so many people expressing so many opinions on this
subject, I shall summarize the current status of disabling special
keys, such as Ctl-Alt-Del, and propose a compromise.


1. Current status

In addition to the Reboot key, we have some other "harmful" 
or "dangerous" keys.

Keys considered harmful:
Reboot, Panic, Debugger, Halt, Power Down

Suspend and Stand-by keys may also be considered harmful?

In our default keymaps in /usr/share/syscons/keymaps, we have Suspend,
Reboot and Debugger keys in "almost" all keymaps. Halt, and Panic keys
are defined in some keymaps.  (I wonder how do we come to have this
much differences in the keymaps. I thought they were at some point
made to have common special key definitions...)  Power Down and
Stand-by keys are not defined in any.

For controlling the behavior of those keys, we have the following.

Kernel options:

SC_DISABLE_REBOOT (for Reboot, Halt, Power Down keys)
SC_DISABLE_DDBKEY (for Debugger key)

Sysctl variable:

machdep.enable_panic_key (for Panic key)

We also have the following kernel option to disable loading of
key maps.

KBD_DISABLE_KEYMAP_LOAD


2. Proposition

In order to not have too many kernel options and sysctl variables
to control individual keys, I shall propose the following compromise.

- - One kernel option to permanently disable all harmful keys.
SC_DISABLE_HARMFUL_KEYS

- - One sysctl variable to enable/disable individual harmful keys.
machdep.disable_harmful_keys

This is a bitmap in which you set a bit to disable corresponding
harmful key.

bit 0: Reboot
bit 1: Halt
bit 2: Power Down
bit 3: Debugger
bit 4: Panic

The initial value is 0; all keys are enabled.

This sysctl variable has no effect if SC_DISABLE_HARMFUL_KEYS is
defined.

I wouldn't like to make this sysctl variable "tunable", as anyone
at the boot loader prompt will be able to change it if it's tunable.
If it remains a regular sysctl variable, only the root can modify it.


3. Notes

Both the kernel option and the sysctl variable can be modifiable
only by the root.

We should remember that neither of the kernel option and the
sysctl variable will be able to prevent the user from hitting the
reset button on your system :-) 

(Oh, yes, you need to update /etc/ttys so that all ttys to be
"insecure", otherwise your inquisitive user can become root without
the root password by hitting the reset switch and booting into the
single-user mode... Yes, you know that :-)

As for keymaps, KBD_DISALBE_KEYMAP_LOAD should be sufficient.  I don't
find it a good idea to add any other options or something else, as I
think that it is the behavior of the key that matters, rather than its
presence in the keymap.

There was suggestion that we shall automatically disable all harmful
keys if securelevel has been raised.  I don't know if it is desirable.

Someone may also argue that there should be a way to make these keys
take effect only if the keys are hit by the root. I think it's
difficult to implement this scheme.  When a key is hit, we don't know,
at that point, to which process the key stroke will be directed, and
which process will eventually eat it...


Comments?

Kazu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message