Bug 26416

Summary: ctrl+alt+del --- normal user can reboot machine
Product: Base System Reporter: davidx <davidx>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description davidx 2001-04-08 00:50:01 UTC 
a normal user can login console and press ctrl+alt+del to reboot
machine, there is no way to disable this action even it is what 
root want. a root user can load a tweaked keyboard map to disable
ctrl+alt+del, but a normal user can still load another keyboard map
to re-enable ctrl+alt+del. this is a security problem.

Fix: 

options:
  1. disable normal user to load a keyboard map, but if it is a user 
     owned pc, it is kibitzed.
  2. normal user presses ctrl+alt+del has no effect, but if it is 
     a user owned pc, this is also kibitzed. 
  3. final solution, add a sysctl item to let root user enable/disable 
     ctrl+alt+del.
How-To-Repeat: login console via normal user, load a bootable keyboard map, press
ctrl+alt+del, kick root away.
Comment 1 davidt 2001-04-08 01:01:03 UTC 
On Sat, 07 Apr 2001, davidx@viasoft.com.cn wrote:
> >Description:
> a normal user can login console and press ctrl+alt+del to reboot
> machine, there is no way to disable this action even it is what 
> root want. a root user can load a tweaked keyboard map to disable
> ctrl+alt+del, but a normal user can still load another keyboard map
> to re-enable ctrl+alt+del. this is a security problem.


Not strictly true:

options         SC_DISABLE_REBOOT       # disable reboot key sequence           

in the kernel config will disable ctrl+alt+del entirely.

> options:
>   1. disable normal user to load a keyboard map, but if it is a user 
>      owned pc, it is kibitzed.
>   2. normal user presses ctrl+alt+del has no effect, but if it is 
>      a user owned pc, this is also kibitzed. 
>   3. final solution, add a sysctl item to let root user enable/disable 
>      ctrl+alt+del.
> 


IMNSHO, a sysctl to disable c+a+d, and to disable normal users loading new
keymaps (i.e. two seperate sysctls), would be a good idea..

-- 
David Taylor
davidt@yadt.co.uk
Comment 2 bill fumerola freebsd_committer freebsd_triage 2001-04-08 01:14:43 UTC 
State Changed
From-To: open->closed

As explained on the mailing list by phk, this is provided as 
a kernel option and can also be controlled by keyboard mappings. 

If the machine is going to be used by untrusted users at 
the console, the kernel option is a good idea. 

Providing a sysctl to allow ctrl-alt-del and then changing 
that sysctl and pressing ctrl-alt-del to reboot a machine is 
the long way of typing 'reboot'.
Comment 3 dima 2001-04-08 01:23:58 UTC 
davidx@viasoft.com.cn writes:
> >Description:
> a normal user can login console and press ctrl+alt+del to reboot
> machine, there is no way to disable this action even it is what 
> root want. a root user can load a tweaked keyboard map to disable
> ctrl+alt+del, but a normal user can still load another keyboard map
> to re-enable ctrl+alt+del. this is a security problem.

A normal user can also plant an explosive device next to the computer
and blow it up.  They can also throw a grenade.  Failing that, they
can rip the computer off the rack (or table) and throw it out a
window.  If you don't have a window, they can throw it against a wall.
Heck, they can just push the power button!  What do you expect FreeBSD
to do about that?

In other words, I don't think this is a security hole.  There are
bigger problems when a user has console access.  A reboot via the
three-finger-salute is but a minor detail.  Also, as someone has
already pointed out, there is a kernel option to disable this.  Since
it's not something you would want to be turning on and off on a
regular basis, there's no need for a sysctl.

Regards,

					Dima Dorfman
					dima@unixfreak.org
Comment 4 des 2001-04-09 02:06:08 UTC 
davidx@viasoft.com.cn writes:
> a normal user can login console and press ctrl+alt+del to reboot
> machine [...]

Yes.  It's a feature.  In the unhappy circumstance where you actually
have to give users access to the console, and one of them figures the
box needs a reboot 'cause it's too slow to his taste or something,
what would you rather have him press: Ctrl-Alt-Del, or the reset
button?

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
Comment 5 Will Andrews 2001-04-09 02:22:24 UTC 
On Sun, Apr 08, 2001 at 06:10:03PM -0700, Dag-Erling Smorgrav wrote:
>  Yes.  It's a feature.  In the unhappy circumstance where you actually
>  have to give users access to the console, and one of them figures the
>  box needs a reboot 'cause it's too slow to his taste or something,
>  what would you rather have him press: Ctrl-Alt-Del, or the reset
>  button?

Hear, hear.

-- 
wca
Comment 6 davidx 2001-04-09 03:27:15 UTC 
DQotLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tIA0KRnJvbTogIkRhZy1FcmxpbmcgU21vcmdy
YXYiIDxkZXNAb2Z1Zy5vcmc+DQpUbzogPGRhdmlkeEB2aWFzb2Z0LmNvbS5jbj4NCkNjOiA8ZnJl
ZWJzZC1nbmF0cy1zdWJtaXRARnJlZUJTRC5PUkc+DQpTZW50OiBNb25kYXksIEFwcmlsIDA5LCAy
MDAxIDk6MDYgQU0NClN1YmplY3Q6IFJlOiBrZXJuLzI2NDE2OiBjdHJsK2FsdCtkZWwgLS0tIG5v
cm1hbCB1c2VyIGNhbiByZWJvb3QgbWFjaGluZQ0KDQoNCj4gZGF2aWR4QHZpYXNvZnQuY29tLmNu
IHdyaXRlczoNCj4gPiBhIG5vcm1hbCB1c2VyIGNhbiBsb2dpbiBjb25zb2xlIGFuZCBwcmVzcyBj
dHJsK2FsdCtkZWwgdG8gcmVib290DQo+ID4gbWFjaGluZSBbLi4uXQ0KPiANCj4gWWVzLiAgSXQn
cyBhIGZlYXR1cmUuICBJbiB0aGUgdW5oYXBweSBjaXJjdW1zdGFuY2Ugd2hlcmUgeW91IGFjdHVh
bGx5DQo+IGhhdmUgdG8gZ2l2ZSB1c2VycyBhY2Nlc3MgdG8gdGhlIGNvbnNvbGUsIGFuZCBvbmUg
b2YgdGhlbSBmaWd1cmVzIHRoZQ0KPiBib3ggbmVlZHMgYSByZWJvb3QgJ2NhdXNlIGl0J3MgdG9v
IHNsb3cgdG8gaGlzIHRhc3RlIG9yIHNvbWV0aGluZywNCj4gd2hhdCB3b3VsZCB5b3UgcmF0aGVy
IGhhdmUgaGltIHByZXNzOiBDdHJsLUFsdC1EZWwsIG9yIHRoZSByZXNldA0KPiBidXR0b24/DQo+
IA0KPiBERVMNCj4gLS0gDQo+IERhZy1FcmxpbmcgU21vcmdyYXYgLSBkZXNAb2Z1Zy5vcmcNCg0K
d2VsbCwgIGlmIGEgbm9ybWFsIHVzZXIgY2FuIG5vdCBleGVjdXRlICJyZWJvb3QiIGNvbW1hbmQs
ICB3aHkgZG9lcyBGQlNEDQphbGxvdyBoaW0gdG8gcHJlc3MgY3RybCthbHQrZGVsPyBpdCBpcyBv
YnZpb3VzbHkgaW5jb25zaXN0ZW50LiAgYSBzeXNjdGwgdG8gZW5hYmxlL2Rpc2FibGUNCnRoaXMg
YWN0aW9uIGJ5IHJvb3QgaXMgbmVlZGVkLiAgd2UgaGF2ZSBhIHdlYiBzZXJ2ZXIgYXQgSVNQIGRh
dGEgY2VudGVyIHJvb20sIA0Kb3VyIG9mZmljZSBoYXMgYSBsb25nIGRpc3RhbmNlIHRvIHRoZW0s
IHNvIHdlIHVzZSBzc2ggdG8gcmVtb3RseSBtYWludGFpbiBzZXJ2ZXIsIA0Kc29tZXRpbWVzIHdl
IG5lZWQgZ3V5cyBhdCBJU1AgaGVscCB1cyB0byBwcmVzcyBjdHJsK2FsdCtkZWwgcmVib290IG1h
Y2hpbmUsICBidXQgbW9zdA0KdGltZSB3ZSBkb24ndCBhbGxvdyB0aGVtIHRvIHJlYm9vdCwgIHdl
IHVzZSBzeXNjdGwgdG8gZGlzYWJsZSB0aGlzIGFjdGlvbiwgIGZvciBzb21lIHJlYXNvbnMNCndl
IGRvbid0IHVzZSByZWJvb3QgY29tbWFuZC4gd2UgaGF2ZSBoYWNrZWQgc3lzY29ucyBzb3VyY2Ug
Y29kZSwgYWRkZWQgdGhpcyBmZWF0dXJlLA0KYXQgbGVhc3QsICBpdCB3b3JrcyB3ZWxsLCBidXQg
dW5mb3J0dW5hdGx5LCBldmVyeSB0aW1lIGEgY3ZzdXAgd2lsbCBvdmVyd3JpdGUgb3VyIHNvdXJj
ZSBjb2RlLA0KSSBuZWVkIHJlLXBhdGNoIGl0IGFnYWluLCAgSSBoYXRlIHRvIGRvIGl0IGFnYWlu
IGFuZCBhZ2FpbiwgIHNvIG15IHJlcXVlc3QgZ29lcyBvdXQuDQoNClJlZ2FyZHMsDQotLS0NCkRh
dmlkIFh1DQoNCg==
Comment 7 des 2001-04-09 08:49:23 UTC 
"David Xu" <davidx@viasoft.com.cn> writes:
> well,  if a normal user can not execute "reboot" command,  why does FBSD
> allow him to press ctrl+alt+del? it is obviously inconsistent.

No.  There is a fundamental difference between the reboot(8) command
and Ctrl+Alt+Del: the latter is only available to the user sitting at
the console.

> we have hacked syscons source code, added this feature, at least, it
> works well, but unfortunatly, every time a cvsup will overwrite our
> source code, I need re-patch it again, I hate to do it again and
> again, so my request goes out.

There are several documented ways of preventing cvsup from overwriting
modified files (one of which is to use cvs instead).

Also, I see no mention of a patch anywhere in your PR.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org