Date: Wed, 18 Apr 2001 01:09:52 -0700 From: Dima Dorfman <dima@unixfreak.org> To: hackers@freebsd.org Subject: Restricting the console to one vty (patch) Message-ID: <20010418080952.52F3E3E09@bazooka.unixfreak.org>
next in thread | raw e-mail | index | archive | help
Attached is a patch that makes it possible to restrict (``freeze'') the console to a single vty (the active one). This can be used in conjunction with, e.g., lock(1) to setup a relative safeguard against malicious access while the user is away from his terminal (lock(1) alone doesn't help unless the user wants to do it for every vty he's logged into, which quickly gets repetitive). I believe this would be especially useful for laptops. Of course, this doesn't prevent malicious access in terms of somebody ripping out a disk, rebooting off of another disk, or one of the other umpteen things one can do with physical access to a computer. Instead, this is intended to protect things like ssh-agent sessions where rebooting destroys the cached credentials. Comments? Suggestions? Thanks in advance, Dima Dorfman dima@unixfreak.org Index: sys/sys/consio.h =================================================================== RCS file: /home/ncvs/src/sys/sys/consio.h,v retrieving revision 1.6 diff -u -r1.6 consio.h --- sys/sys/consio.h 2000/04/27 13:34:31 1.6 +++ sys/sys/consio.h 2001/04/18 07:29:30 @@ -116,6 +116,9 @@ /* set the history (scroll back) buffer size (in lines) */ #define CONS_HISTORY _IOW('c', 9, int) +/* freeze the console (prevent vty switching) */ +#define CONS_FREEZE _IOW('c', 10, int) + /* mouse cursor ioctl */ struct mouse_data { int x; Index: sys/dev/syscons/syscons.c =================================================================== RCS file: /home/ncvs/src/sys/dev/syscons/syscons.c,v retrieving revision 1.355 diff -u -r1.355 syscons.c --- sys/dev/syscons/syscons.c 2001/03/26 12:40:39 1.355 +++ sys/dev/syscons/syscons.c 2001/04/18 07:29:32 @@ -747,6 +747,13 @@ sc->flags &= ~SC_QUIET_BELL; return 0; + case CONS_FREEZE: + if ((*(int *)data) & 0x01) + sc->flags |= SC_SCRN_FROZEN; + else + sc->flags &= ~SC_SCRN_FROZEN; + return 0; + case CONS_GETINFO: /* get current (virtual) console info */ { vid_info_t *ptr = (vid_info_t*)data; @@ -2070,6 +2077,13 @@ int s; DPRINTF(5, ("sc0: sc_switch_scr() %d ", next_scr + 1)); + + /* if the console is frozen, disallow vty switching */ + if (sc->flags & SC_SCRN_FROZEN) { + sc_bell(sc->cur_scp, sc->cur_scp->bell_pitch, + sc->cur_scp->bell_duration); + return EPERM; + } /* delay switch if the screen is blanked or being updated */ if ((sc->flags & SC_SCRN_BLANKED) || sc->write_in_progress Index: sys/dev/syscons/syscons.h =================================================================== RCS file: /home/ncvs/src/sys/dev/syscons/syscons.h,v retrieving revision 1.65 diff -u -r1.65 syscons.h --- sys/dev/syscons/syscons.h 2001/03/11 22:48:03 1.65 +++ sys/dev/syscons/syscons.h 2001/04/18 07:29:32 @@ -163,6 +163,7 @@ #define SC_SCRN_IDLE (1 << 5) #define SC_SCRN_BLANKED (1 << 6) #define SC_SAVER_FAILED (1 << 7) +#define SC_SCRN_FROZEN (1 << 8) #define SC_INIT_DONE (1 << 16) #define SC_SPLASH_SCRN (1 << 17) Index: usr.sbin/vidcontrol/vidcontrol.1 =================================================================== RCS file: /home/ncvs/src/usr.sbin/vidcontrol/vidcontrol.1,v retrieving revision 1.33 diff -u -r1.33 vidcontrol.1 --- usr.sbin/vidcontrol/vidcontrol.1 2001/04/18 07:21:58 1.33 +++ usr.sbin/vidcontrol/vidcontrol.1 2001/04/18 07:29:33 @@ -30,6 +30,7 @@ .Ar file .Oc .Op Fl g Ar geometry +.Op Fl h Cm on | off .Op Fl i Cm adapter | mode .Op Fl l Ar screen_map .Op Fl L @@ -163,6 +164,11 @@ and .Sx EXAMPLES below. +.It Fl h Cm on | off +Freeze or unfreeze the console. +When the console is frozen +.Pq Cm on , +all attempts to switch to a different virtual terminal will fail. .It Fl i Cm adapter Shows info about the current video adapter. .It Fl i Cm mode Index: usr.sbin/vidcontrol/vidcontrol.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/vidcontrol/vidcontrol.c,v retrieving revision 1.35 diff -u -r1.35 vidcontrol.c --- usr.sbin/vidcontrol/vidcontrol.c 2001/04/09 17:24:29 1.35 +++ usr.sbin/vidcontrol/vidcontrol.c 2001/04/18 07:29:33 @@ -69,7 +69,7 @@ { fprintf(stderr, "%s\n%s\n%s\n%s\n", "usage: vidcontrol [-r fg bg] [-b color] [-c appearance] [-d] [-l scrmap]", -" [-i adapter | mode] [-L] [-M char] [-m on|off]", +" [-i adapter | mode] [-L] [-M char] [-m on|off] [-h on|off]", " [-f size file] [-s number] [-t N|off] [-x] [-g geometry]", " [mode] [fgcol [bgcol]] [show]"); exit(1); @@ -470,6 +470,25 @@ } void +set_freeze(char *arg) +{ + int data; + int rv = 0; + + if (strcmp(arg, "on") == 0) + data = 0x01; + else if (strcmp(arg, "off") == 0) + data = 0x02; + else { + warnx("argument to -h must be either on or off"); + return; + } + rv = ioctl(0, CONS_FREEZE, &data); + if (rv) + warn("ioctl(CONS_FREEZE)"); +} + +void set_border_color(char *arg) { int color; @@ -648,7 +667,7 @@ info.size = sizeof(info); if (ioctl(0, CONS_GETINFO, &info) < 0) err(1, "must be on a virtual console"); - while((opt = getopt(argc, argv, "b:c:df:g:i:l:LM:m:r:s:t:x")) != -1) + while((opt = getopt(argc, argv, "b:c:df:g:h:i:l:LM:m:r:s:t:x")) != -1) switch(opt) { case 'b': set_border_color(optarg); @@ -674,6 +693,9 @@ warnx("incorrect geometry: %s", optarg); usage(); } + break; + case 'h': + set_freeze(optarg); break; case 'i': show_info(optarg); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418080952.52F3E3E09>