[linux.git] / Documentation / SAK.txt

=========================================
Linux Secure Attention Key (SAK) handling
=========================================

:Date: 18 March 2001
:Author: Andrew Morton

An operating system's Secure Attention Key is a security tool which is
provided as protection against trojan password capturing programs.  It
is an undefeatable way of killing all programs which could be
masquerading as login applications.  Users need to be taught to enter
this key sequence before they log in to the system.

From the PC keyboard, Linux has two similar but different ways of
providing SAK.  One is the ALT-SYSRQ-K sequence.  You shouldn't use
this sequence.  It is only available if the kernel was compiled with
sysrq support.

The proper way of generating a SAK is to define the key sequence using
``loadkeys``.  This will work whether or not sysrq support is compiled
into the kernel.

SAK works correctly when the keyboard is in raw mode.  This means that
once defined, SAK will kill a running X server.  If the system is in
run level 5, the X server will restart.  This is what you want to
happen.

What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
the machine.  CTRL-ALT-BACKSPACE is magical to the X server.  We'll
choose CTRL-ALT-PAUSE.

In your rc.sysinit (or rc.local) file, add the command::

	echo "control alt keycode 101 = SAK" | /bin/loadkeys

And that's it!  Only the superuser may reprogram the SAK key.


.. note::

  1. Linux SAK is said to be not a "true SAK" as is required by
     systems which implement C2 level security.  This author does not
     know why.


  2. On the PC keyboard, SAK kills all applications which have
     /dev/console opened.

     Unfortunately this includes a number of things which you don't
     actually want killed.  This is because these applications are
     incorrectly holding /dev/console open.  Be sure to complain to your
     Linux distributor about this!

     You can identify processes which will be killed by SAK with the
     command::

	# ls -l /proc/[0-9]*/fd/* | grep console
	l-wx------    1 root     root           64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console

     Then::

	# ps aux|grep 579
	root       579  0.0  0.1  1088  436 ?        S    00:43   0:00 gpm -t ps/2

     So ``gpm`` will be killed by SAK.  This is a bug in gpm.  It should
     be closing standard input.  You can work around this by finding the
     initscript which launches gpm and changing it thusly:

     Old::

	daemon gpm

     New::

	daemon gpm < /dev/null

     Vixie cron also seems to have this problem, and needs the same treatment.

     Also, one prominent Linux distribution has the following three
     lines in its rc.sysinit and rc scripts::

	exec 3<&0
	exec 4>&1
	exec 5>&2

     These commands cause **all** daemons which are launched by the
     initscripts to have file descriptors 3, 4 and 5 attached to
     /dev/console.  So SAK kills them all.  A workaround is to simply
     delete these lines, but this may cause system management
     applications to malfunction - test everything well.
Commit	Line	Data
2273194d MCC	1	=========================================
	2	Linux Secure Attention Key (SAK) handling
	3	=========================================
	4
	5	:Date: 18 March 2001
	6	:Author: Andrew Morton
1da177e4 LT	7
	8	An operating system's Secure Attention Key is a security tool which is
	9	provided as protection against trojan password capturing programs. It
	10	is an undefeatable way of killing all programs which could be
	11	masquerading as login applications. Users need to be taught to enter
	12	this key sequence before they log in to the system.
	13
	14	From the PC keyboard, Linux has two similar but different ways of
	15	providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use
	16	this sequence. It is only available if the kernel was compiled with
	17	sysrq support.
	18
	19	The proper way of generating a SAK is to define the key sequence using
2273194d	20	``loadkeys``. This will work whether or not sysrq support is compiled
1da177e4 LT	21	into the kernel.
	22
	23	SAK works correctly when the keyboard is in raw mode. This means that
	24	once defined, SAK will kill a running X server. If the system is in
	25	run level 5, the X server will restart. This is what you want to
	26	happen.
	27
	28	What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
	29	the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll
	30	choose CTRL-ALT-PAUSE.
	31
2273194d	32	In your rc.sysinit (or rc.local) file, add the command::
1da177e4 LT	33
	34	echo "control alt keycode 101 = SAK" \| /bin/loadkeys
	35
	36	And that's it! Only the superuser may reprogram the SAK key.
	37
	38
2273194d	39	.. note::
1da177e4	40
2273194d MCC	41	1. Linux SAK is said to be not a "true SAK" as is required by
	42	systems which implement C2 level security. This author does not
	43	know why.
1da177e4 LT	44
1da177e4 LT	45
2273194d MCC	46	2. On the PC keyboard, SAK kills all applications which have
2273194d MCC	47	/dev/console opened.
1da177e4	48
2273194d MCC	49	Unfortunately this includes a number of things which you don't
	50	actually want killed. This is because these applications are
	51	incorrectly holding /dev/console open. Be sure to complain to your
	52	Linux distributor about this!
1da177e4	53
2273194d MCC	54	You can identify processes which will be killed by SAK with the
2273194d MCC	55	command::
1da177e4 LT	56
	57	# ls -l /proc/[0-9]/fd/ \| grep console
	58	l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
	59
2273194d	60	Then::
1da177e4 LT	61
	62	# ps aux\|grep 579
	63	root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2
	64
2273194d MCC	65	So ``gpm`` will be killed by SAK. This is a bug in gpm. It should
	66	be closing standard input. You can work around this by finding the
	67	initscript which launches gpm and changing it thusly:
1da177e4	68
2273194d	69	Old::
1da177e4 LT	70
	71	daemon gpm
	72
2273194d	73	New::
1da177e4 LT	74
	75	daemon gpm < /dev/null
	76
2273194d	77	Vixie cron also seems to have this problem, and needs the same treatment.
1da177e4	78
2273194d MCC	79	Also, one prominent Linux distribution has the following three
2273194d MCC	80	lines in its rc.sysinit and rc scripts::
1da177e4 LT	81
	82	exec 3<&0
	83	exec 4>&1
	84	exec 5>&2
	85
2273194d MCC	86	These commands cause all daemons which are launched by the
	87	initscripts to have file descriptors 3, 4 and 5 attached to
	88	/dev/console. So SAK kills them all. A workaround is to simply
	89	delete these lines, but this may cause system management
	90	applications to malfunction - test everything well.
1da177e4	91