[mirror_ubuntu-bionic-kernel.git] / Documentation / SAK.txt

Linux 2.4.2 Secure Attention Key (SAK) handling
18 March 2001, Andrew Morton

An operating system's Secure Attention Key is a security tool which is
provided as protection against trojan password capturing programs.  It
is an undefeatable way of killing all programs which could be
masquerading as login applications.  Users need to be taught to enter
this key sequence before they log in to the system.

From the PC keyboard, Linux has two similar but different ways of
providing SAK.  One is the ALT-SYSRQ-K sequence.  You shouldn't use
this sequence.  It is only available if the kernel was compiled with
sysrq support.

The proper way of generating a SAK is to define the key sequence using
`loadkeys'.  This will work whether or not sysrq support is compiled
into the kernel.

SAK works correctly when the keyboard is in raw mode.  This means that
once defined, SAK will kill a running X server.  If the system is in
run level 5, the X server will restart.  This is what you want to
happen.

What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
the machine.  CTRL-ALT-BACKSPACE is magical to the X server.  We'll
choose CTRL-ALT-PAUSE.

In your rc.sysinit (or rc.local) file, add the command

	echo "control alt keycode 101 = SAK" | /bin/loadkeys

And that's it!  Only the superuser may reprogram the SAK key.


NOTES
=====

1: Linux SAK is said to be not a "true SAK" as is required by
   systems which implement C2 level security.  This author does not
   know why.


2: On the PC keyboard, SAK kills all applications which have
   /dev/console opened.

   Unfortunately this includes a number of things which you don't
   actually want killed.  This is because these applications are
   incorrectly holding /dev/console open.  Be sure to complain to your
   Linux distributor about this!

   You can identify processes which will be killed by SAK with the
   command

	# ls -l /proc/[0-9]*/fd/* | grep console
	l-wx------    1 root     root           64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console

   Then:

	# ps aux|grep 579
	root       579  0.0  0.1  1088  436 ?        S    00:43   0:00 gpm -t ps/2

   So `gpm' will be killed by SAK.  This is a bug in gpm.  It should
   be closing standard input.  You can work around this by finding the
   initscript which launches gpm and changing it thusly:

   Old:

	daemon gpm

   New:

	daemon gpm < /dev/null

   Vixie cron also seems to have this problem, and needs the same treatment.

   Also, one prominent Linux distribution has the following three
   lines in its rc.sysinit and rc scripts:

	exec 3<&0
	exec 4>&1
	exec 5>&2

   These commands cause *all* daemons which are launched by the
   initscripts to have file descriptors 3, 4 and 5 attached to
   /dev/console.  So SAK kills them all.  A workaround is to simply
   delete these lines, but this may cause system management
   applications to malfunction - test everything well.
Commit	Line	Data
1da177e4	1	Linux 2.4.2 Secure Attention Key (SAK) handling
e1f8e874	2	18 March 2001, Andrew Morton
1da177e4 LT	3
	4	An operating system's Secure Attention Key is a security tool which is
	5	provided as protection against trojan password capturing programs. It
	6	is an undefeatable way of killing all programs which could be
	7	masquerading as login applications. Users need to be taught to enter
	8	this key sequence before they log in to the system.
	9
	10	From the PC keyboard, Linux has two similar but different ways of
	11	providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use
	12	this sequence. It is only available if the kernel was compiled with
	13	sysrq support.
	14
	15	The proper way of generating a SAK is to define the key sequence using
	16	`loadkeys'. This will work whether or not sysrq support is compiled
	17	into the kernel.
	18
	19	SAK works correctly when the keyboard is in raw mode. This means that
	20	once defined, SAK will kill a running X server. If the system is in
	21	run level 5, the X server will restart. This is what you want to
	22	happen.
	23
	24	What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
	25	the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll
	26	choose CTRL-ALT-PAUSE.
	27
	28	In your rc.sysinit (or rc.local) file, add the command
	29
	30	echo "control alt keycode 101 = SAK" \| /bin/loadkeys
	31
	32	And that's it! Only the superuser may reprogram the SAK key.
	33
	34
	35	NOTES
	36	=====
	37
	38	1: Linux SAK is said to be not a "true SAK" as is required by
	39	systems which implement C2 level security. This author does not
	40	know why.
	41
	42
	43	2: On the PC keyboard, SAK kills all applications which have
	44	/dev/console opened.
	45
	46	Unfortunately this includes a number of things which you don't
	47	actually want killed. This is because these applications are
	48	incorrectly holding /dev/console open. Be sure to complain to your
	49	Linux distributor about this!
	50
	51	You can identify processes which will be killed by SAK with the
	52	command
	53
	54	# ls -l /proc/[0-9]/fd/ \| grep console
	55	l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
	56
	57	Then:
	58
	59	# ps aux\|grep 579
	60	root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2
	61
	62	So `gpm' will be killed by SAK. This is a bug in gpm. It should
	63	be closing standard input. You can work around this by finding the
	64	initscript which launches gpm and changing it thusly:
	65
	66	Old:
67
68	daemon gpm
69
70	New:
71
72	daemon gpm < /dev/null
73
74	Vixie cron also seems to have this problem, and needs the same treatment.
75
76	Also, one prominent Linux distribution has the following three
77	lines in its rc.sysinit and rc scripts:
78
79	exec 3<&0
80	exec 4>&1
81	exec 5>&2
82
83	These commands cause all daemons which are launched by the
84	initscripts to have file descriptors 3, 4 and 5 attached to
85	/dev/console. So SAK kills them all. A workaround is to simply
86	delete these lines, but this may cause system management
87	applications to malfunction - test everything well.
88