Secure attention Key: Login and GkSudo
Reinhard Tartler
siretart at ubuntu.com
Mon Oct 31 06:56:12 UTC 2011
On Mo, Okt 31, 2011 at 06:50:42 (CET), staticd wrote:
> On Mon, Oct 31, 2011 at 12:07 AM, Reinhard Tartler <siretart at ubuntu.com>wrote:
>
>> On So, Okt 30, 2011 at 15:11:04 (CET), staticd wrote:
>>
>> >> Windows NT is designed so that, unless system security is already
>> >> compromised in some other way, only the Winlogon process, a trusted
>> >> system process, can receive notification of this keystroke
>> >> combination. This is because the kernel remembers the process ID of
>> >> the Winlogon process, and allows only that process to receive the
>> >> notification.
>> >>
>> >> So says Wikipedia.
>> >>
>> >> Interestingly, VMWare catches the sequence as well.
>> >>
>> >>
>> > I was thinking of a Alt+Sysrq combination capturable only by the kernel.
>> > (Ctrl+Alt+Sysrq ?)
>>
>> The SAK for Linux systems is Alt+Sysrq+k
>>
>> While this SAK can be disabled, Ubuntu ships with this functionality
>> enabled. It safely and uncatchably terminates your running X11 session,
>> returning back to your login manager.
>>
>> Cheers,
>> Reinhard.
>>
>> --
>> Gruesse/greetings,
>> Reinhard Tartler, KeyID 945348A4
>>
>> --
>> Ubuntu-devel-discuss mailing list
>> Ubuntu-devel-discuss at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>>
>
> Reinhard,
> doesn't pressing Alt+Sysrq+k kill the current X session?
Yes, that's correct.
See also the upstream documentation:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/sysrq.txt,
> Is there a secure way of getting the login manager without disrupting other
> users who are also working in the background? (a switch user functionality
> that cannot be spoofed)
Not one that I would be currently aware of.
> Do you know how i could go about implementing this?
Change the login/display manager to always allocate a new VT and switch
to it after successful login. The login manager would continue to be
active on its old VT. Then you're SAK would be CTRL-ALT-F7 (if v7 is
your 'secure' vt with the login manager). This could probably be made
more 'user-friendly', but I think you get the general idea.
Cheers,
Reinhard.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
More information about the Ubuntu-devel-discuss
mailing list