ctl-alt-del/secure attention sequence

Kris Kennaway kris at FreeBSD.org
Thu Apr 13 08:36:03 GMT 2000 

On Wed, 12 Apr 2000, Bengt Richter wrote:

> BTW, in my physical environment, the worst risk is that I will swivel on my
> chair from the NT keyboard to the BSD one, and my fingers will do ctl-alt-del
> to get past the screen saver before I get a chance to think. This has bitten
> me several times, so I will configure away the shutdown_nice() next time I
> compile the kernel.

options         SC_DISABLE_REBOOT       # disable reboot key sequence

> Personally, I can't see holding on to the ctl-alt-del => reboot behavior on
> the basis that it is expected on a pc. After all, it was expected mostly
> because it was needed to make certain legacy OS's easily restartable when
> they died. BSD is least as far past that as NT, n'est-ce pas? ;-)
> So I would vote for a change in defaults, or at least asking for root
> password before doing a reboot.

Err, if you're sitting at the console, why would asking for the root
password help when you can just hit the big red button or pull the plug?

> As it is, even non-users (not having accounts) can press ctl-alt-del at
> the login prompt, and reboot. IMHO that shouldn't be default behavior.
> It should take a recompile to get that effect, if you want it, not the
> other way around. Otherwise there is temporary accidental denial of service
> waiting to happen -- for me, anyway. (I hate it when I do that).

If you have random non-users walking up to your secure system and pressing
control-alt-delete you have bigger problems than your box rebooting.

This isn't the place to argue for getting the FreeBSD defaults changed,
though. Take that cause up on FreeBSD-current or FreeBSD-stable.

> In short, I can't see any good reason to shutdown_nice() directly from
> ctl-alt-del unless you're doing some debugging that makes repeated boots
> necessary. In that case, you could recompile to have the feature. Sorry
> if I am ranting.

Or vice versa. If you're tuning your box you almost certainly want to
recompile the kernel anyway.

> Someone suggested that kbdcontrol might be able to disable ctl-alt-del.
> >From a quick skim of the man page it wasn't immediately obvious to me how,
> but if so, I think that would have to be changed in order to make ctl-alt-del
> a proper SAK (which of course is a different ball game from the default
> reboot issue). It would solve my immediate accident-prevention need though :)

I'm not sure about this - check on a FreeBSD list.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe at alum.mit.edu>

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list