Mailinglist Archive: opensuse-security (547 mails)
| < Previous | Next > |
RE: [suse-security] preventing login screen emulation?
- From: "Michael Grundel" <m1chael@xxxxxxx>
- Date: Wed, 1 Nov 2000 22:16:26 +0100
- Message-id: <LKEGIAOKHBLLECJKINFEOELIDLAA.m1chael@xxxxxxx>
[snip]
> > Is there a way to prevent a user from "emulating" a login screen (especially
> > for the console)?
>
> This is a difficult problem. You can't really tell if somebody emulates a
> login screen. You need to kill all processes accessing the console at the
> time before a password is entered by a user. Basically, only three ideas
> come into my mind whereas the last is the most suitable:
>
> On X (xdm, kdm, gdm), the admin could remove the suid bit from the
> Xwrapper program (that runs the X-server, finally). Before the user logs
> on, he could kill the running X-server using the ctrl-alt-backspace
> method. Then a new X-server comes up, which can only be started as root
> >from (x|k|g)dm.
>
> The second solution is using the sysrq (system request) magic from the
> kernel (v2.2+). sysrq-k kills all programs running on the current virtual
> console. Very handy at times if you play around with realtime stuff... :-)
> Downside: It is possible for a user to boot the machine and do other nasty
> stuff.
>
> The last that comes into my mind is a small script or program that runs
> started by init and that kills all non-root (and possibly others) programs
> on the machine. It could be bound to ctrl-alt-del like the following
> (/etc/inittab):
>
> ca::ctrlaltdel:/bin/fuser -k /dev/tty[1-6]
>
> Unfortunately, this will be executed only once since init remembers that
> it did already. So this requires either a small init hack another line in
> /etc/inittab as well as a little shell script, looking like this:
>
> ca::ctrlaltdel:/root/bin/camperkiller
>
> /root/bin/camperkiller is:
>
> #!/bin/sh
> # don't kill processes on tty7: X!
> /bin/fuser -k /dev/tty[1-6]
> # want X to be killed, too? Do it gracefully, no KILL signal!
> /bin/fuser -k -TERM /dev/tty7
> /bin/sleep 2
> /sbin/init U
Thanks a lot! It works great.
Except that you can remap Alt and then Ctrl-Alt-Del no longer works on the
console. Maybe it still does for X (have not tried that).
> This works quite nicely. Since the X-server starts up, it changes VT. So
> upon X-setup (/usr/X11R6/lib/X11/xdm/Xsetup), you could use `chvt 2ยด and
> display a message there that the users should hit ctrl-alt-del (do this
> in /etc/issue!).
> > Michael
> Roman.
Thanks,
Michael
| < Previous | Next > |