Weblog entry #1 for alish
See all weblog entries made by alish.
If your system has a keyboard attached to it anyone (yes anyone) can reboot the system through it without login to the system. This might, or might not, adhere to your security policy. If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch (remember to run init q after making any changes to this file). The default in Debian includes this switch:
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
Now, in order to allow some users to shutdown the system, as the manpage shutdown(8) describes, you must create the file /etc/shutdown.allow and include there the name of users which can boot the system. When the three finger salute (a.k.a. ctrl+alt+del) is given the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.
Comments on this Entry
http://www.debian-administration.org/users/ajt/weblog/101
However not with your suggestion. It sounds like a nice idea.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.ht ml#s-restrict-reboots
I am new in debian administration and I decide to put all things that I learn in my blog.
[ Parent | Reply to this comment ]
You should also make sure that your kernel does not have the Magic SysRq option turned on, otherwise an Alt+SysRq+B would have the same effect of the three-finger salute, but without syncing the disc, which is worse!
Besides, if you are really concerned about people rebooting your PC, don't forget to enclose your PC in a locked cabinet, otherwise nothing prevents the passer-by from simply unplugging the power supply.
There is an illuminating story about Kevin Mitnick winning a "crack-this-PC contest" during an IT exhibition because the coders had put so much effort in the crypto stuff that they had forgot to secure the hardware!
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The Magic SysRq is controlled by the compile-time option CONFIG_MAGIC_SYSRQ in the kernel configuration. It can also be disabled at run-time with
# echo 0 > /proc/sys/kernel/sysrq
Also see Magic SysRq key on Wikipedia (but I suspect that the last paragraph "Raising Skinny Elephants" is wrong: it suggests a key sequence that cause a disk access after the supposedly last sync).
[ Parent | Reply to this comment ]
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc /inittab
[ Parent | Reply to this comment ]
sed -i 's/^ca:12345:ctrlaltdel:/#ca:12345:ctrlaltdel:/g ' /etc/inittab
[ Parent | Reply to this comment ]
http://chezphil.org/cadmenu/
[ Parent | Reply to this comment ]