Date: Fri, 10 Aug 2001 21:31:11 +0900 From: Kazutaka YOKOTA <yokota@zodiac.mech.utsunomiya-u.ac.jp> To: freebsd-stable@freebsd.org Cc: yokota@zodiac.mech.utsunomiya-u.ac.jp Subject: Disabling harmful keys (was: Re: PATCH: syscons.c sysctl for PC-Reboot Keys) Message-ID: <200108101231.VAA17040@zodiac.mech.utsunomiya-u.ac.jp>
next in thread | raw e-mail | index | archive | help
As we have seen so many people expressing so many opinions on this subject, I shall summarize the current status of disabling special keys, such as Ctl-Alt-Del, and propose a compromise. 1. Current status In addition to the Reboot key, we have some other "harmful" or "dangerous" keys. Keys considered harmful: Reboot, Panic, Debugger, Halt, Power Down Suspend and Stand-by keys may also be considered harmful? In our default keymaps in /usr/share/syscons/keymaps, we have Suspend, Reboot and Debugger keys in "almost" all keymaps. Halt, and Panic keys are defined in some keymaps. (I wonder how do we come to have this much differences in the keymaps. I thought they were at some point made to have common special key definitions...) Power Down and Stand-by keys are not defined in any. For controlling the behavior of those keys, we have the following. Kernel options: SC_DISABLE_REBOOT (for Reboot, Halt, Power Down keys) SC_DISABLE_DDBKEY (for Debugger key) Sysctl variable: machdep.enable_panic_key (for Panic key) We also have the following kernel option to disable loading of key maps. KBD_DISABLE_KEYMAP_LOAD 2. Proposition In order to not have too many kernel options and sysctl variables to control individual keys, I shall propose the following compromise. - One kernel option to permanently disable all harmful keys. SC_DISABLE_HARMFUL_KEYS - One sysctl variable to enable/disable individual harmful keys. machdep.disable_harmful_keys This is a bitmap in which you set a bit to disable corresponding harmful key. bit 0: Reboot bit 1: Halt bit 2: Power Down bit 3: Debugger bit 4: Panic The initial value is 0; all keys are enabled. This sysctl variable has no effect if SC_DISABLE_HARMFUL_KEYS is defined. I wouldn't like to make this sysctl variable "tunable", as anyone at the boot loader prompt will be able to change it if it's tunable. If it remains a regular sysctl variable, only the root can modify it. 3. Notes Both the kernel option and the sysctl variable can be modifiable only by the root. We should remember that neither of the kernel option and the sysctl variable will be able to prevent the user from hitting the reset button on your system :-) (Oh, yes, you need to update /etc/ttys so that all ttys to be "insecure", otherwise your inquisitive user can become root without the root password by hitting the reset switch and booting into the single-user mode... Yes, you know that :-) As for keymaps, KBD_DISALBE_KEYMAP_LOAD should be sufficient. I don't find it a good idea to add any other options or something else, as I think that it is the behavior of the key that matters, rather than its presence in the keymap. There was suggestion that we shall automatically disable all harmful keys if securelevel has been raised. I don't know if it is desirable. Someone may also argue that there should be a way to make these keys take effect only if the keys are hit by the root. I think it's difficult to implement this scheme. When a key is hit, we don't know, at that point, to which process the key stroke will be directed, and which process will eventually eat it... Comments? Kazu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108101231.VAA17040>