Linux Secure Attention Key (SAK) handling

Date:18 March 2001
Author:Andrew Morton

An operating system’s Secure Attention Key is a security tool which isprovided as protection against trojan password capturing programs. Itis an undefeatable way of killing all programs which could bemasquerading as login applications. Users need to be taught to enterthis key sequence before they log in to the system.

From the PC keyboard, Linux has two similar but different ways ofproviding SAK. One is the ALT-SYSRQ-K sequence. You shouldn’t usethis sequence. It is only available if the kernel was compiled withsysrq support.

The proper way of generating a SAK is to define the key sequence usingloadkeys. This will work whether or not sysrq support is compiledinto the kernel.

SAK works correctly when the keyboard is in raw mode. This means thatonce defined, SAK will kill a running X server. If the system is inrun level 5, the X server will restart. This is what you want tohappen.

What key sequence should you use? Well, CTRL-ALT-DEL is used to rebootthe machine. CTRL-ALT-BACKSPACE is magical to the X server. We’llchoose CTRL-ALT-PAUSE.

In your rc.sysinit (or rc.local) file, add the command:

echo "control alt keycode 101 = SAK" | /bin/loadkeys

And that’s it! Only the superuser may reprogram the SAK key.

Note

  1. Linux SAK is said to be not a “true SAK” as is required bysystems which implement C2 level security. This author does notknow why.

  2. On the PC keyboard, SAK kills all applications which have/dev/console opened.

    Unfortunately this includes a number of things which you don’tactually want killed. This is because these applications areincorrectly holding /dev/console open. Be sure to complain to yourLinux distributor about this!

    You can identify processes which will be killed by SAK with thecommand:

    # ls -l /proc/[0-9]*/fd/* | grep consolel-wx------    1 root     root           64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console

    Then:

    # ps aux|grep 579root       579  0.0  0.1  1088  436 ?        S    00:43   0:00 gpm -t ps/2

    Sogpm will be killed by SAK. This is a bug in gpm. It shouldbe closing standard input. You can work around this by finding theinitscript which launches gpm and changing it thusly:

    Old:

    daemon gpm

    New:

    daemon gpm < /dev/null

    Vixie cron also seems to have this problem, and needs the same treatment.

    Also, one prominent Linux distribution has the following threelines in its rc.sysinit and rc scripts:

    exec 3<&0exec 4>&1exec 5>&2

    These commands causeall daemons which are launched by theinitscripts to have file descriptors 3, 4 and 5 attached to/dev/console. So SAK kills them all. A workaround is to simplydelete these lines, but this may cause system managementapplications to malfunction - test everything well.