Re: Magic SysRq [was Re: X ignores keyboard and mouse input, but shows cursor movement (etch)]

[Ralph Katz <ralph.katz@rcn.com>]

On 09/18/2007 05:17 PM, David Brodbeck wrote:
> 
> On Sep 18, 2007, at 11:19 AM, Ralph Katz wrote:
>> This is a local vulnerability, yes.  No worse than pulling the plug.  Of
>> course that IS the problem.  Only keyboard access is needed for this.
>>
>> To test, I booted a second etch computer which comes up to a gnome
>> desktop, and hit alt-sysrq-i.  The display shows a nasty pink colored
>> image...  Next was to hit alt-sysrq-b which must be the linux 3-finger
>> salute known to windows people.
> 
> Hmm.  I see what you're getting at, but is this really any worse than
> the default ctrl-alt-del behavior?  (Or is there a security warning
> about that, too?)
> 
> Frankly, if someone has physical access, a reboot is just about the
> least of your worries.  It's pretty trivial for them to gain root access
> if they have physical access to the hardware.

It is worse precisely because it's undocumented.  The default
ctrl-alt-del behavior is documented, so not an issue.

One might ask whether the default ON for sysrq is appropriate for
Stable.  While I don't think it is, my bigger problem is with the
absence of warnings or user documentation.  This is critical for a
distro that cares about its users which is why I filed bug 442512.
Perhaps this is more an issue to me as a non-programmer...

And yes, physical access is problematic.

Regards,
Ralph