€•@Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ /translations/zh_CN/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/zh_TW/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/it_IT/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/ja_JP/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/ko_KR/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ /translations/sp_SP/security/sak”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ)Linux Secure Attention Key (SAK) handling”h]”hŒ)Linux Secure Attention Key (SAK) handling”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒ:/var/lib/git/docbuild/linux/Documentation/security/sak.rst”h KubhŒ field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ field_name”“”)”}”(hŒDate”h]”hŒDate”…””}”(hhÃhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhh¾hŸh¶h KubhŒ field_body”“”)”}”(hŒ 18 March 2001”h]”hŒ paragraph”“”)”}”(hhÕh]”hŒ 18 March 2001”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KhhÓubah}”(h]”h ]”h"]”h$]”h&]”uh1hÑhh¾ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hŸh¶h Khh¹hžhubh½)”}”(hhh]”(hÂ)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhõhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÁhhòhŸh¶h KubhÒ)”}”(hŒAndrew Morton ”h]”hØ)”}”(hŒ Andrew Morton”h]”hŒ Andrew Morton”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hÑhhòubeh}”(h]”h ]”h"]”h$]”h&]”uh1h¼hŸh¶h Khh¹hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hh£hžhhŸh¶h KubhØ)”}”(hXEAn operating system's Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.”h]”hXGAn operating system’s Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.”…””}”(hj'hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khh£hžhubhØ)”}”(hŒÙFrom the PC keyboard, Linux has two similar but different ways of providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn't use this sequence. It is only available if the kernel was compiled with sysrq support.”h]”hŒÛFrom the PC keyboard, Linux has two similar but different ways of providing SAK. One is the ALT-SYSRQ-K sequence. You shouldn’t use this sequence. It is only available if the kernel was compiled with sysrq support.”…””}”(hj5hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khh£hžhubhØ)”}”(hŒžThe proper way of generating a SAK is to define the key sequence using ``loadkeys``. This will work whether or not sysrq support is compiled into the kernel.”h]”(hŒGThe proper way of generating a SAK is to define the key sequence using ”…””}”(hjChžhhŸNh NubhŒliteral”“”)”}”(hŒ ``loadkeys``”h]”hŒloadkeys”…””}”(hjMhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jKhjCubhŒK. This will work whether or not sysrq support is compiled into the kernel.”…””}”(hjChžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khh£hžhubhØ)”}”(hŒÕSAK works correctly when the keyboard is in raw mode. This means that once defined, SAK will kill a running X server. If the system is in run level 5, the X server will restart. This is what you want to happen.”h]”hŒÕSAK works correctly when the keyboard is in raw mode. This means that once defined, SAK will kill a running X server. If the system is in run level 5, the X server will restart. This is what you want to happen.”…””}”(hjehžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khh£hžhubhØ)”}”(hŒ¡What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot the machine. CTRL-ALT-BACKSPACE is magical to the X server. We'll choose CTRL-ALT-PAUSE.”h]”hŒ£What key sequence should you use? Well, CTRL-ALT-DEL is used to reboot the machine. CTRL-ALT-BACKSPACE is magical to the X server. We’ll choose CTRL-ALT-PAUSE.”…””}”(hjshžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h Khh£hžhubhØ)”}”(hŒ8In your rc.sysinit (or rc.local) file, add the command::”h]”hŒ7In your rc.sysinit (or rc.local) file, add the command:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K hh£hžhubhŒ literal_block”“”)”}”(hŒ4echo "control alt keycode 101 = SAK" | /bin/loadkeys”h]”hŒ4echo "control alt keycode 101 = SAK" | /bin/loadkeys”…””}”hj‘sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1jhŸh¶h K"hh£hžhubhØ)”}”(hŒ=And that's it! Only the superuser may reprogram the SAK key.”h]”hŒ?And that’s it! Only the superuser may reprogram the SAK key.”…””}”(hj¡hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K$hh£hžhubhŒnote”“”)”}”(hXW1. Linux SAK is said to be not a "true SAK" as is required by systems which implement C2 level security. This author does not know why. 2. On the PC keyboard, SAK kills all applications which have /dev/console opened. Unfortunately this includes a number of things which you don't actually want killed. This is because these applications are incorrectly holding /dev/console open. Be sure to complain to your Linux distributor about this! You can identify processes which will be killed by SAK with the command:: # ls -l /proc/[0-9]*/fd/* | grep console l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console Then:: # ps aux|grep 579 root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2 So ``gpm`` will be killed by SAK. This is a bug in gpm. It should be closing standard input. You can work around this by finding the initscript which launches gpm and changing it thusly: Old:: daemon gpm New:: daemon gpm < /dev/null Vixie cron also seems to have this problem, and needs the same treatment. Also, one prominent Linux distribution has the following three lines in its rc.sysinit and rc scripts:: exec 3<&0 exec 4>&1 exec 5>&2 These commands cause **all** daemons which are launched by the initscripts to have file descriptors 3, 4 and 5 attached to /dev/console. So SAK kills them all. A workaround is to simply delete these lines, but this may cause system management applications to malfunction - test everything well.”h]”hŒenumerated_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒ‡Linux SAK is said to be not a "true SAK" as is required by systems which implement C2 level security. This author does not know why. ”h]”hØ)”}”(hŒ…Linux SAK is said to be not a "true SAK" as is required by systems which implement C2 level security. This author does not know why.”h]”hŒ‰Linux SAK is said to be not a “true SAK†as is required by systems which implement C2 level security. This author does not know why.”…””}”(hjÀhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K)hj¼ubah}”(h]”h ]”h"]”h$]”h&]”uh1jºhj·ubj»)”}”(hXiOn the PC keyboard, SAK kills all applications which have /dev/console opened. Unfortunately this includes a number of things which you don't actually want killed. This is because these applications are incorrectly holding /dev/console open. Be sure to complain to your Linux distributor about this! You can identify processes which will be killed by SAK with the command:: # ls -l /proc/[0-9]*/fd/* | grep console l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console Then:: # ps aux|grep 579 root 579 0.0 0.1 1088 436 ? S 00:43 0:00 gpm -t ps/2 So ``gpm`` will be killed by SAK. This is a bug in gpm. It should be closing standard input. You can work around this by finding the initscript which launches gpm and changing it thusly: Old:: daemon gpm New:: daemon gpm < /dev/null Vixie cron also seems to have this problem, and needs the same treatment. Also, one prominent Linux distribution has the following three lines in its rc.sysinit and rc scripts:: exec 3<&0 exec 4>&1 exec 5>&2 These commands cause **all** daemons which are launched by the initscripts to have file descriptors 3, 4 and 5 attached to /dev/console. So SAK kills them all. A workaround is to simply delete these lines, but this may cause system management applications to malfunction - test everything well.”h]”(hØ)”}”(hŒNOn the PC keyboard, SAK kills all applications which have /dev/console opened.”h]”hŒNOn the PC keyboard, SAK kills all applications which have /dev/console opened.”…””}”(hjØhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K.hjÔubhØ)”}”(hŒÞUnfortunately this includes a number of things which you don't actually want killed. This is because these applications are incorrectly holding /dev/console open. Be sure to complain to your Linux distributor about this!”h]”hŒàUnfortunately this includes a number of things which you don’t actually want killed. This is because these applications are incorrectly holding /dev/console open. Be sure to complain to your Linux distributor about this!”…””}”(hjæhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K1hjÔubhØ)”}”(hŒIYou can identify processes which will be killed by SAK with the command::”h]”hŒHYou can identify processes which will be killed by SAK with the command:”…””}”(hjôhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h K6hjÔubj)”}”(hŒ# ls -l /proc/[0-9]*/fd/* | grep console l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console”h]”hŒ# ls -l /proc/[0-9]*/fd/* | grep console l-wx------ 1 root root 64 Mar 18 00:46 /proc/579/fd/0 -> /dev/console”…””}”hjsbah}”(h]”h ]”h"]”h$]”h&]”jŸj uh1jhŸh¶h K9hjÔubhØ)”}”(hŒThen::”h]”hŒThen:”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KhjÔubhØ)”}”(hŒ½So ``gpm`` will be killed by SAK. This is a bug in gpm. It should be closing standard input. You can work around this by finding the initscript which launches gpm and changing it thusly:”h]”(hŒSo ”…””}”(hj,hžhhŸNh NubjL)”}”(hŒ``gpm``”h]”hŒgpm”…””}”(hj4hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jKhj,ubhŒ³ will be killed by SAK. This is a bug in gpm. It should be closing standard input. You can work around this by finding the initscript which launches gpm and changing it thusly:”…””}”(hj,hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KAhjÔubhØ)”}”(hŒOld::”h]”hŒOld:”…””}”(hjLhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KEhjÔubj)”}”(hŒ daemon gpm”h]”hŒ daemon gpm”…””}”hjZsbah}”(h]”h ]”h"]”h$]”h&]”jŸj uh1jhŸh¶h KGhjÔubhØ)”}”(hŒNew::”h]”hŒNew:”…””}”(hjhhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KIhjÔubj)”}”(hŒdaemon gpm < /dev/null”h]”hŒdaemon gpm < /dev/null”…””}”hjvsbah}”(h]”h ]”h"]”h$]”h&]”jŸj uh1jhŸh¶h KKhjÔubhØ)”}”(hŒIVixie cron also seems to have this problem, and needs the same treatment.”h]”hŒIVixie cron also seems to have this problem, and needs the same treatment.”…””}”(hj„hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KMhjÔubhØ)”}”(hŒgAlso, one prominent Linux distribution has the following three lines in its rc.sysinit and rc scripts::”h]”hŒfAlso, one prominent Linux distribution has the following three lines in its rc.sysinit and rc scripts:”…””}”(hj’hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KOhjÔubj)”}”(hŒexec 3<&0 exec 4>&1 exec 5>&2”h]”hŒexec 3<&0 exec 4>&1 exec 5>&2”…””}”hj sbah}”(h]”h ]”h"]”h$]”h&]”jŸj uh1jhŸh¶h KRhjÔubhØ)”}”(hX(These commands cause **all** daemons which are launched by the initscripts to have file descriptors 3, 4 and 5 attached to /dev/console. So SAK kills them all. A workaround is to simply delete these lines, but this may cause system management applications to malfunction - test everything well.”h]”(hŒThese commands cause ”…””}”(hj®hžhhŸNh NubhŒstrong”“”)”}”(hŒ**all**”h]”hŒall”…””}”(hj¸hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j¶hj®ubhX  daemons which are launched by the initscripts to have file descriptors 3, 4 and 5 attached to /dev/console. So SAK kills them all. A workaround is to simply delete these lines, but this may cause system management applications to malfunction - test everything well.”…””}”(hj®hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh¶h KVhjÔubeh}”(h]”h ]”h"]”h$]”h&]”uh1jºhj·ubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jµhj±ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¯hh£hžhhŸNh Nubeh}”(h]”Œ'linux-secure-attention-key-sak-handling”ah ]”h"]”Œ)linux secure attention key (sak) handling”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”jìjésŒ nametypes”}”jì‰sh}”jéh£sŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.