On 09/18/2007 05:17 PM, David Brodbeck wrote: > > On Sep 18, 2007, at 11:19 AM, Ralph Katz wrote: >> This is a local vulnerability, yes. No worse than pulling the plug. Of >> course that IS the problem. Only keyboard access is needed for this. >> >> To test, I booted a second etch computer which comes up to a gnome >> desktop, and hit alt-sysrq-i. The display shows a nasty pink colored >> image... Next was to hit alt-sysrq-b which must be the linux 3-finger >> salute known to windows people. > > Hmm. I see what you're getting at, but is this really any worse than > the default ctrl-alt-del behavior? (Or is there a security warning > about that, too?) > > Frankly, if someone has physical access, a reboot is just about the > least of your worries. It's pretty trivial for them to gain root access > if they have physical access to the hardware.
It is worse precisely because it's undocumented. The default ctrl-alt-del behavior is documented, so not an issue. One might ask whether the default ON for sysrq is appropriate for Stable. While I don't think it is, my bigger problem is with the absence of warnings or user documentation. This is critical for a distro that cares about its users which is why I filed bug 442512. Perhaps this is more an issue to me as a non-programmer... And yes, physical access is problematic. Regards, Ralph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]