On Tue, Sep 18, 2007 at 02:19:30PM -0400, Ralph Katz wrote: > On 09/18/2007 01:12 PM, Andrew Sackville-West wrote: > > On Sun, Sep 16, 2007 at 09:06:49AM -0400, Ralph Katz wrote: > >> On 09/14/2007 07:24 PM, Andrew Sackville-West wrote: > >> > >>> just a word to the wise when dealing with these issues... magic sysrq > >>> key, be sure to google it. The two that are most useful, to me anyway, > >>> are > >>> > >>> Alt-sysrq-s to sync the filesystems (you'll see your drive light come > >>> on briefly and you;ll get a console message if you happen to be in > >>> one.) > >>> > >>> alt-sysrq-b to reboot. > >> This is new to me; never knew what that key did! > >> > >> Etch has sysrq enabled. However, the security implications should be > >> documented. SysRq isn't even mentioned in securing-debian-howto. It's > >> mentioned incorrectly as "default installation kernels are not compiled > >> with this option" in debian reference ( > >> http://qref.sourceforge.net/). > > > > out of curiousity, what are the security implications? sysrq requires > > physical access to the machine (well, at least the keyboard) and > > therefore security is pretty much out the window. or is there some way > > to trigger these events from a remote location? > > Andrew, surely you're kidding! :)
I wasn't kidding, but I see now why I look stupid... ;) My limited security knowledge centers around remote vulnerabilities. The computers I secure are in my house with little to no information that needs securing that couldn't easily be gotten elsewhere in the house. So local vulnerabilities are a given for me. The most I do is password the screensaver so the kids can't muck around with programs I may have open. Heck, I don't even have the case closed up on my main machine most of the time, much less locking the case or bolting it to the table. So in my limited world, unless its a remote vulnerability, I don't worry about it. Interestingly, at work i have a couple machines that I keep locked down pretty tightly for local exploits as well, but have never considered sysrq a problem. I'm not sure, running sid, that turning off sysrq is all that good an idea though. probably better to make sure the system will only boot one way (bios passwords etc) so that someone can't boot a cd and leave it at that. They can alt-sysrq-b all they want. I wan't to have access to that function as well. > > This is a local vulnerability, yes. No worse than pulling the plug. Of > course that IS the problem. Only keyboard access is needed for this. of course. > > To test, I booted a second etch computer which comes up to a gnome > desktop, and hit alt-sysrq-i. The display shows a nasty pink colored > image... Next was to hit alt-sysrq-b which must be the linux 3-finger > salute known to windows people. > > And yes, I've filed a bug on this (442512, 442893). good. As I type this the potentials are dawning on me... A -- current song: Weezer - Jamie/Live and Acoustic
signature.asc
Description: Digital signature
