[395] in linux-security and linux-alert archive
Re: console security
daemon@ATHENA.MIT.EDU (Andries.Brouwer@cwi.nl)
Thu Sep 28 01:03:19 1995
Date: Tue, 26 Sep 1995 10:26:15 +0100
From: Andries.Brouwer@cwi.nl
To: linux-security@tarsier.cv.nrao.edu
Zygo Blaxell writes:
: Most Unix consoles are pretty secure. You can be assured that after
: asserting DCD low followed by DCD high, for instance, that a serial
: console is now presenting you with a real login prompt, not a program
: the previous user left running. You can be assured that your console is
: not being monitored, and will not be interfered with during the lifetime
: of your session. You can assume that the keyboard keys have some
: default mapping. And, on better consoles, you can hit a key which
: assures that the console is now irretrievably disconnected from whatever
: processes are currently running on it.
: None of these are true for Linux; hence Linux console security sucks.
: [mod: Linux has had the secure attention key for a very long time; it can
: be enabled using setserial. Is there any indication that it doesn't
: work? --okir]
It does work for tty's, including the console keyboard, in the sense
that it will kill all processes that have a file descriptor open on
the tty or belong to the same session. Also the buffers are flushed.
It does not work in several other senses, as Zygo mentioned:
It does not assure a default key mapping.
[How could it? Read it from a file? That is not something
that belongs in the kernel, it is something that login might do.
Reset to a universal default? But that probably makes the
keyboard very difficult to use.
A german keyboard interchanges y and z.
A french keyboard interchanges a and q, and w and z.
All national keyboards permute the nonletters nondigits in a random way.]
It does not assure a default font.
[How could it? Go back to the font in the character ROM?
A possibility, but again a decision that is better taken outside the kernel.]
It does not assure a default character set to font mapping.
It does not assure that the console is in a useable mode.
Etc.
Since one is not sure of the key mapping, one doesn't know for sure
that the key one presses is really the SAK.
Then there is the matter of aliasing. A file descriptor to /dev/tty2
allows access to the keyboard, so killing everybody on /dev/tty1 is not
enough.
So, no - the SAK is not secure on the console.
