I posted the following message in the stable ML the other day, but got
no response. So, I will post it here again.
Please follow the thread PATCH: syscons.c sysctl for PC-Reboo Keys
in the stable ML for background information on this subject.
Kazu
As we have seen so many people expressing so many opinions on this
subject, I shall summarize the current status of disabling special
keys, such as Ctl-Alt-Del, and propose a compromise.
1. Current status
In addition to the Reboot key, we have some other harmful
or dangerous keys.
Keys considered harmful:
Reboot, Panic, Debugger, Halt, Power Down
Suspend and Stand-by keys may also be considered harmful?
In our default keymaps in /usr/share/syscons/keymaps, we have Suspend,
Reboot and Debugger keys in almost all keymaps. Halt, and Panic keys
are defined in some keymaps. (I wonder how do we come to have this
much differences in the keymaps. I thought they were at some point
made to have common special key definitions...) Power Down and
Stand-by keys are not defined in any.
For controlling the behavior of those keys, we have the following.
Kernel options:
SC_DISABLE_REBOOT (for Reboot, Halt, Power Down keys)
SC_DISABLE_DDBKEY (for Debugger key)
Sysctl variable:
machdep.enable_panic_key (for Panic key)
We also have the following kernel option to disable loading of
key maps.
KBD_DISABLE_KEYMAP_LOAD
2. Proposition
In order to not have too many kernel options and sysctl variables
to control individual keys, I shall propose the following compromise.
- - One kernel option to permanently disable all harmful keys.
SC_DISABLE_HARMFUL_KEYS
- - One sysctl variable to enable/disable individual harmful keys.
machdep.disable_harmful_keys
This is a bitmap in which you set a bit to disable corresponding
harmful key.
bit 0: Reboot
bit 1: Halt
bit 2: Power Down
bit 3: Debugger
bit 4: Panic
The initial value is 0; all keys are enabled.
This sysctl variable has no effect if SC_DISABLE_HARMFUL_KEYS is
defined.
I wouldn't like to make this sysctl variable tunable, as anyone
at the boot loader prompt will be able to change it if it's tunable.
If it remains a regular sysctl variable, only the root can modify it.
3. Notes
Both the kernel option and the sysctl variable can be modifiable
only by the root.
We should remember that neither of the kernel option and the
sysctl variable will be able to prevent the user from hitting the
reset button on your system :-)
(Oh, yes, you need to update /etc/ttys so that all ttys to be
insecure, otherwise your inquisitive user can become root without
the root password by hitting the reset switch and booting into the
single-user mode... Yes, you know that :-)
As for keymaps, KBD_DISALBE_KEYMAP_LOAD should be sufficient. I don't
find it a good idea to add any other options or something else, as I
think that it is the behavior of the key that matters, rather than its
presence in the keymap.
There was suggestion that we shall automatically disable all harmful
keys if securelevel has been raised. I don't know if it is desirable.
Someone may also argue that there should be a way to make these keys
take effect only if the keys are hit by the root. I think it's
difficult to implement this scheme. When a key is hit, we don't know,
at that point, to which process the key stroke will be directed, and
which process will eventually eat it...
Comments?
Kazu
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message
