From nobody@FreeBSD.org  Sat Apr  7 16:41:51 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 95E1237B424
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  7 Apr 2001 16:41:50 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f37Nfok72061;
	Sat, 7 Apr 2001 16:41:50 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200104072341.f37Nfok72061@freefall.freebsd.org>
Date: Sat, 7 Apr 2001 16:41:50 -0700 (PDT)
From: davidx@viasoft.com.cn
To: freebsd-gnats-submit@FreeBSD.org
Subject: ctrl+alt+del --- normal user can reboot machine
X-Send-Pr-Version: www-1.0

>Number:         26416
>Category:       kern
>Synopsis:       ctrl+alt+del --- normal user can reboot machine
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 07 16:50:01 PDT 2001
>Closed-Date:    Sat Apr 7 17:14:43 PDT 2001
>Last-Modified:  Mon Apr  9 01:00:01 PDT 2001
>Originator:     David Xu
>Release:        FreeBSD 4.3RC
>Organization:
Viasoft
>Environment:
All FreeBSD versions.
>Description:
a normal user can login console and press ctrl+alt+del to reboot
machine, there is no way to disable this action even it is what 
root want. a root user can load a tweaked keyboard map to disable
ctrl+alt+del, but a normal user can still load another keyboard map
to re-enable ctrl+alt+del. this is a security problem.

>How-To-Repeat:
login console via normal user, load a bootable keyboard map, press
ctrl+alt+del, kick root away.
>Fix:
options:
  1. disable normal user to load a keyboard map, but if it is a user 
     owned pc, it is kibitzed.
  2. normal user presses ctrl+alt+del has no effect, but if it is 
     a user owned pc, this is also kibitzed. 
  3. final solution, add a sysctl item to let root user enable/disable 
     ctrl+alt+del.

>Release-Note:
>Audit-Trail:

From: David Taylor <davidt@yadt.co.uk>
To: davidx@viasoft.com.cn
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine
Date: Sun, 8 Apr 2001 01:01:03 +0100

 --vkogqOf2sHV7VnPd
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sat, 07 Apr 2001, davidx@viasoft.com.cn wrote:
 > >Description:
 > a normal user can login console and press ctrl+alt+del to reboot
 > machine, there is no way to disable this action even it is what=20
 > root want. a root user can load a tweaked keyboard map to disable
 > ctrl+alt+del, but a normal user can still load another keyboard map
 > to re-enable ctrl+alt+del. this is a security problem.
 
 Not strictly true:
 
 options         SC_DISABLE_REBOOT       # disable reboot key sequence      =
     =20
 
 in the kernel config will disable ctrl+alt+del entirely.
 
 > options:
 >   1. disable normal user to load a keyboard map, but if it is a user=20
 >      owned pc, it is kibitzed.
 >   2. normal user presses ctrl+alt+del has no effect, but if it is=20
 >      a user owned pc, this is also kibitzed.=20
 >   3. final solution, add a sysctl item to let root user enable/disable=20
 >      ctrl+alt+del.
 >=20
 
 IMNSHO, a sysctl to disable c+a+d, and to disable normal users loading new
 keymaps (i.e. two seperate sysctls), would be a good idea..
 
 --=20
 David Taylor
 davidt@yadt.co.uk
 
 --vkogqOf2sHV7VnPd
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.4 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE6z6o+fIqKXSsJ/xERAguNAJ9911BDw862AfSQ3kzfVItUr33CygCeJWHQ
 Res0PlbIhtYSrcXq6uhM7NE=
 =CcmM
 -----END PGP SIGNATURE-----
 
 --vkogqOf2sHV7VnPd--
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Sat Apr 7 17:14:43 PDT 2001 
State-Changed-Why:  
As explained on the mailing list by phk, this is provided as 
a kernel option and can also be controlled by keyboard mappings. 

If the machine is going to be used by untrusted users at 
the console, the kernel option is a good idea. 

Providing a sysctl to allow ctrl-alt-del and then changing 
that sysctl and pressing ctrl-alt-del to reboot a machine is 
the long way of typing 'reboot'. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26416 

From: Dima Dorfman <dima@unixfreak.org>
To: davidx@viasoft.com.cn
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine 
Date: Sat, 07 Apr 2001 17:23:58 -0700

 davidx@viasoft.com.cn writes:
 > >Description:
 > a normal user can login console and press ctrl+alt+del to reboot
 > machine, there is no way to disable this action even it is what 
 > root want. a root user can load a tweaked keyboard map to disable
 > ctrl+alt+del, but a normal user can still load another keyboard map
 > to re-enable ctrl+alt+del. this is a security problem.
 
 A normal user can also plant an explosive device next to the computer
 and blow it up.  They can also throw a grenade.  Failing that, they
 can rip the computer off the rack (or table) and throw it out a
 window.  If you don't have a window, they can throw it against a wall.
 Heck, they can just push the power button!  What do you expect FreeBSD
 to do about that?
 
 In other words, I don't think this is a security hole.  There are
 bigger problems when a user has console access.  A reboot via the
 three-finger-salute is but a minor detail.  Also, as someone has
 already pointed out, there is a kernel option to disable this.  Since
 it's not something you would want to be turning on and off on a
 regular basis, there's no need for a sysctl.
 
 Regards,
 
 					Dima Dorfman
 					dima@unixfreak.org

From: Dag-Erling Smorgrav <des@ofug.org>
To: davidx@viasoft.com.cn
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine
Date: 09 Apr 2001 03:06:08 +0200

 davidx@viasoft.com.cn writes:
 > a normal user can login console and press ctrl+alt+del to reboot
 > machine [...]
 
 Yes.  It's a feature.  In the unhappy circumstance where you actually
 have to give users access to the console, and one of them figures the
 box needs a reboot 'cause it's too slow to his taste or something,
 what would you rather have him press: Ctrl-Alt-Del, or the reset
 button?
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org

From: Will Andrews <will@physics.purdue.edu>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: FreeBSD GNATS DB <FreeBSD-gnats-submit@FreeBSD.org>
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine
Date: Sun, 8 Apr 2001 20:22:24 -0500

 On Sun, Apr 08, 2001 at 06:10:03PM -0700, Dag-Erling Smorgrav wrote:
 >  Yes.  It's a feature.  In the unhappy circumstance where you actually
 >  have to give users access to the console, and one of them figures the
 >  box needs a reboot 'cause it's too slow to his taste or something,
 >  what would you rather have him press: Ctrl-Alt-Del, or the reset
 >  button?
 
 Hear, hear.
 
 -- 
 wca

From: "David Xu" <davidx@viasoft.com.cn>
To: "Dag-Erling Smorgrav" <des@ofug.org>
Cc: <freebsd-gnats-submit@FreeBSD.ORG>
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine
Date: Mon, 9 Apr 2001 10:27:15 +0800

 DQotLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tIA0KRnJvbTogIkRhZy1FcmxpbmcgU21vcmdy
 YXYiIDxkZXNAb2Z1Zy5vcmc+DQpUbzogPGRhdmlkeEB2aWFzb2Z0LmNvbS5jbj4NCkNjOiA8ZnJl
 ZWJzZC1nbmF0cy1zdWJtaXRARnJlZUJTRC5PUkc+DQpTZW50OiBNb25kYXksIEFwcmlsIDA5LCAy
 MDAxIDk6MDYgQU0NClN1YmplY3Q6IFJlOiBrZXJuLzI2NDE2OiBjdHJsK2FsdCtkZWwgLS0tIG5v
 cm1hbCB1c2VyIGNhbiByZWJvb3QgbWFjaGluZQ0KDQoNCj4gZGF2aWR4QHZpYXNvZnQuY29tLmNu
 IHdyaXRlczoNCj4gPiBhIG5vcm1hbCB1c2VyIGNhbiBsb2dpbiBjb25zb2xlIGFuZCBwcmVzcyBj
 dHJsK2FsdCtkZWwgdG8gcmVib290DQo+ID4gbWFjaGluZSBbLi4uXQ0KPiANCj4gWWVzLiAgSXQn
 cyBhIGZlYXR1cmUuICBJbiB0aGUgdW5oYXBweSBjaXJjdW1zdGFuY2Ugd2hlcmUgeW91IGFjdHVh
 bGx5DQo+IGhhdmUgdG8gZ2l2ZSB1c2VycyBhY2Nlc3MgdG8gdGhlIGNvbnNvbGUsIGFuZCBvbmUg
 b2YgdGhlbSBmaWd1cmVzIHRoZQ0KPiBib3ggbmVlZHMgYSByZWJvb3QgJ2NhdXNlIGl0J3MgdG9v
 IHNsb3cgdG8gaGlzIHRhc3RlIG9yIHNvbWV0aGluZywNCj4gd2hhdCB3b3VsZCB5b3UgcmF0aGVy
 IGhhdmUgaGltIHByZXNzOiBDdHJsLUFsdC1EZWwsIG9yIHRoZSByZXNldA0KPiBidXR0b24/DQo+
 IA0KPiBERVMNCj4gLS0gDQo+IERhZy1FcmxpbmcgU21vcmdyYXYgLSBkZXNAb2Z1Zy5vcmcNCg0K
 d2VsbCwgIGlmIGEgbm9ybWFsIHVzZXIgY2FuIG5vdCBleGVjdXRlICJyZWJvb3QiIGNvbW1hbmQs
 ICB3aHkgZG9lcyBGQlNEDQphbGxvdyBoaW0gdG8gcHJlc3MgY3RybCthbHQrZGVsPyBpdCBpcyBv
 YnZpb3VzbHkgaW5jb25zaXN0ZW50LiAgYSBzeXNjdGwgdG8gZW5hYmxlL2Rpc2FibGUNCnRoaXMg
 YWN0aW9uIGJ5IHJvb3QgaXMgbmVlZGVkLiAgd2UgaGF2ZSBhIHdlYiBzZXJ2ZXIgYXQgSVNQIGRh
 dGEgY2VudGVyIHJvb20sIA0Kb3VyIG9mZmljZSBoYXMgYSBsb25nIGRpc3RhbmNlIHRvIHRoZW0s
 IHNvIHdlIHVzZSBzc2ggdG8gcmVtb3RseSBtYWludGFpbiBzZXJ2ZXIsIA0Kc29tZXRpbWVzIHdl
 IG5lZWQgZ3V5cyBhdCBJU1AgaGVscCB1cyB0byBwcmVzcyBjdHJsK2FsdCtkZWwgcmVib290IG1h
 Y2hpbmUsICBidXQgbW9zdA0KdGltZSB3ZSBkb24ndCBhbGxvdyB0aGVtIHRvIHJlYm9vdCwgIHdl
 IHVzZSBzeXNjdGwgdG8gZGlzYWJsZSB0aGlzIGFjdGlvbiwgIGZvciBzb21lIHJlYXNvbnMNCndl
 IGRvbid0IHVzZSByZWJvb3QgY29tbWFuZC4gd2UgaGF2ZSBoYWNrZWQgc3lzY29ucyBzb3VyY2Ug
 Y29kZSwgYWRkZWQgdGhpcyBmZWF0dXJlLA0KYXQgbGVhc3QsICBpdCB3b3JrcyB3ZWxsLCBidXQg
 dW5mb3J0dW5hdGx5LCBldmVyeSB0aW1lIGEgY3ZzdXAgd2lsbCBvdmVyd3JpdGUgb3VyIHNvdXJj
 ZSBjb2RlLA0KSSBuZWVkIHJlLXBhdGNoIGl0IGFnYWluLCAgSSBoYXRlIHRvIGRvIGl0IGFnYWlu
 IGFuZCBhZ2FpbiwgIHNvIG15IHJlcXVlc3QgZ29lcyBvdXQuDQoNClJlZ2FyZHMsDQotLS0NCkRh
 dmlkIFh1DQoNCg==
 

From: Dag-Erling Smorgrav <des@ofug.org>
To: "David Xu" <davidx@viasoft.com.cn>
Cc: <freebsd-gnats-submit@FreeBSD.ORG>
Subject: Re: kern/26416: ctrl+alt+del --- normal user can reboot machine
Date: 09 Apr 2001 09:49:23 +0200

 "David Xu" <davidx@viasoft.com.cn> writes:
 > well,  if a normal user can not execute "reboot" command,  why does FBSD
 > allow him to press ctrl+alt+del? it is obviously inconsistent.
 
 No.  There is a fundamental difference between the reboot(8) command
 and Ctrl+Alt+Del: the latter is only available to the user sitting at
 the console.
 
 > we have hacked syscons source code, added this feature, at least, it
 > works well, but unfortunatly, every time a cvsup will overwrite our
 > source code, I need re-patch it again, I hate to do it again and
 > again, so my request goes out.
 
 There are several documented ways of preventing cvsup from overwriting
 modified files (one of which is to use cvs instead).
 
 Also, I see no mention of a patch anywhere in your PR.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
>Unformatted:
