summaryrefslogtreecommitdiffstats
path: root/Documentation/SAK.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/SAK.txt')
-rw-r--r--Documentation/SAK.txt88
1 files changed, 0 insertions, 88 deletions
diff --git a/Documentation/SAK.txt b/Documentation/SAK.txt
deleted file mode 100644
index 74be146..0000000
--- a/Documentation/SAK.txt
+++ /dev/null
@@ -1,88 +0,0 @@
-Linux 2.4.2 Secure Attention Key (SAK) handling
-18 March 2001, Andrew Morton
-
-An operating system's Secure Attention Key is a security tool which is
-provided as protection against trojan password capturing programs. It
-is an undefeatable way of killing all programs which could be
-masquerading as login applications. Users need to be taught to enter
-this key sequence before they log in to the system.
-
-From the PC keyboard, Linux has two similar but different ways of
-providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use
-this sequence. It is only available if the kernel was compiled with
-sysrq support.
-
-The proper way of generating a SAK is to define the key sequence using
-`loadkeys'. This will work whether or not sysrq support is compiled
-into the kernel.
-
-SAK works correctly when the keyboard is in raw mode. This means that
-once defined, SAK will kill a running X server. If the system is in
-run level 5, the X server will restart. This is what you want to
-happen.
-
-What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot
-the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll
-choose CTRL-ALT-PAUSE.
-
-In your rc.sysinit (or rc.local) file, add the command
-
- echo "control alt keycode 101 = SAK" | /bin/loadkeys
-
-And that's it! Only the superuser may reprogram the SAK key.
-
-
-NOTES
-=====
-
-1: Linux SAK is said to be not a "true SAK" as is required by
- systems which implement C2 level security. This author does not
- know why.
-
-
-2: On the PC keyboard, SAK kills all applications which have
- /dev/console opened.
-
- Unfortunately this includes a number of things which you don't
- actually want killed. This is because these applications are
- incorrectly holding /dev/console open. Be sure to complain to your
- Linux distributor about this!
-
- You can identify processes which will be killed by SAK with the
- command
-
- # ls -l /proc/[0-9]*/fd/* | grep console
- l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console
-
- Then:
-
- # ps aux|grep 579
- root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2
-
- So `gpm' will be killed by SAK. This is a bug in gpm. It should
- be closing standard input. You can work around this by finding the
- initscript which launches gpm and changing it thusly:
-
- Old:
-
- daemon gpm
-
- New:
-
- daemon gpm < /dev/null
-
- Vixie cron also seems to have this problem, and needs the same treatment.
-
- Also, one prominent Linux distribution has the following three
- lines in its rc.sysinit and rc scripts:
-
- exec 3<&0
- exec 4>&1
- exec 5>&2
-
- These commands cause *all* daemons which are launched by the
- initscripts to have file descriptors 3, 4 and 5 attached to
- /dev/console. So SAK kills them all. A workaround is to simply
- delete these lines, but this may cause system management
- applications to malfunction - test everything well.
-