Date: Sat, 10 Jun 2006 21:52:26 +0200 (CEST) From: Ed Schouten <ed@fxq.nl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/98788: [syscons] Add sysctl to disallow VT_LOCKSWITCH Message-ID: <20060610195226.CE1251706B@palm.hoeg.nl> Resent-Message-ID: <200606102000.k5AK0VP5049242@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 98788
>Category: kern
>Synopsis: [syscons] Add sysctl to disallow VT_LOCKSWITCH
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 10 20:00:30 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Ed Schouten
>Release: FreeBSD 5.5-STABLE i386
>Organization:
Dispuut Interlink
>Environment:
System: FreeBSD palm.hoeg.nl 5.5-STABLE FreeBSD 5.5-STABLE #0: Mon May 29 10:55:24 CEST 2006 root@palm.hoeg.nl:/usr/obj/usr/src/sys/PALM i386
>Description:
The VT_LOCKSWITCH ioctl for syscons allows a user to disable the Alt Fx
functionality of the terminal. The lock(1) utility also uses this ioctl
when '-v' is passed as an argument.
Though very useful to entirely lock a machine, it may be unwanted (a
public machine). A sysctl to only allow this ioctl to super-users would
be very useful.
>How-To-Repeat:
Run lock -v on a machine with a lot of users. Other users get mad at you
because they want to log in.
>Fix:
The following patch adds a sysctl that allows you to limit this ioctl's
usage to super-users only.
%%%
--- sys/dev/syscons/syscons.c Sat Jun 10 21:21:39 2006
+++ sys/dev/syscons/syscons.c Sat Jun 10 21:31:06 2006
@@ -112,6 +112,8 @@
static int saver_mode = CONS_NO_SAVER; /* LKM/user saver */
static int run_scrn_saver = FALSE; /* should run the saver? */
static int enable_bell = TRUE; /* enable beeper */
+ /* locking terminal when unprivileged */
+static int unprivileged_lockswitch = TRUE;
#ifndef SC_DISABLE_REBOOT
static int enable_reboot = TRUE; /* enable keyboard reboot */
@@ -136,6 +138,9 @@
&sc_saver_keyb_only, 0, "screen saver interrupted by input only");
SYSCTL_INT(_hw_syscons, OID_AUTO, bell, CTLFLAG_RW, &enable_bell,
0, "enable bell");
+SYSCTL_INT(_hw_syscons, OID_AUTO, unprivileged_lockswitch, CTLFLAG_RW,
+ &unprivileged_lockswitch, 0,
+ "allow terminal switch locking when unprivileged");
#ifndef SC_DISABLE_REBOOT
SYSCTL_INT(_hw_syscons, OID_AUTO, kbd_reboot, CTLFLAG_RW|CTLFLAG_SECURE, &enable_reboot,
0, "enable keyboard reboot");
@@ -1059,6 +1064,11 @@
return 0;
case VT_LOCKSWITCH: /* prevent vty switching */
+ if (unprivileged_lockswitch == 0) {
+ error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL);
+ if (error)
+ return (EPERM);
+ }
if ((*(int *)data) & 0x01)
sc->flags |= SC_SCRN_VTYLOCK;
else
%%%
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060610195226.CE1251706B>