Date: Wed, 18 Apr 2001 01:09:52 -0700 From: Dima Dorfman <dima@unixfreak.org> To: hackers@freebsd.org Subject: Restricting the console to one vty (patch) Message-ID: <20010418080952.52F3E3E09@bazooka.unixfreak.org>
next in thread | raw e-mail | index | archive | help
Attached is a patch that makes it possible to restrict (``freeze'')
the console to a single vty (the active one). This can be used in
conjunction with, e.g., lock(1) to setup a relative safeguard against
malicious access while the user is away from his terminal (lock(1)
alone doesn't help unless the user wants to do it for every vty he's
logged into, which quickly gets repetitive). I believe this would be
especially useful for laptops.
Of course, this doesn't prevent malicious access in terms of somebody
ripping out a disk, rebooting off of another disk, or one of the other
umpteen things one can do with physical access to a computer.
Instead, this is intended to protect things like ssh-agent sessions
where rebooting destroys the cached credentials.
Comments? Suggestions?
Thanks in advance,
Dima Dorfman
dima@unixfreak.org
Index: sys/sys/consio.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/consio.h,v
retrieving revision 1.6
diff -u -r1.6 consio.h
--- sys/sys/consio.h 2000/04/27 13:34:31 1.6
+++ sys/sys/consio.h 2001/04/18 07:29:30
@@ -116,6 +116,9 @@
/* set the history (scroll back) buffer size (in lines) */
#define CONS_HISTORY _IOW('c', 9, int)
+/* freeze the console (prevent vty switching) */
+#define CONS_FREEZE _IOW('c', 10, int)
+
/* mouse cursor ioctl */
struct mouse_data {
int x;
Index: sys/dev/syscons/syscons.c
===================================================================
RCS file: /home/ncvs/src/sys/dev/syscons/syscons.c,v
retrieving revision 1.355
diff -u -r1.355 syscons.c
--- sys/dev/syscons/syscons.c 2001/03/26 12:40:39 1.355
+++ sys/dev/syscons/syscons.c 2001/04/18 07:29:32
@@ -747,6 +747,13 @@
sc->flags &= ~SC_QUIET_BELL;
return 0;
+ case CONS_FREEZE:
+ if ((*(int *)data) & 0x01)
+ sc->flags |= SC_SCRN_FROZEN;
+ else
+ sc->flags &= ~SC_SCRN_FROZEN;
+ return 0;
+
case CONS_GETINFO: /* get current (virtual) console info */
{
vid_info_t *ptr = (vid_info_t*)data;
@@ -2070,6 +2077,13 @@
int s;
DPRINTF(5, ("sc0: sc_switch_scr() %d ", next_scr + 1));
+
+ /* if the console is frozen, disallow vty switching */
+ if (sc->flags & SC_SCRN_FROZEN) {
+ sc_bell(sc->cur_scp, sc->cur_scp->bell_pitch,
+ sc->cur_scp->bell_duration);
+ return EPERM;
+ }
/* delay switch if the screen is blanked or being updated */
if ((sc->flags & SC_SCRN_BLANKED) || sc->write_in_progress
Index: sys/dev/syscons/syscons.h
===================================================================
RCS file: /home/ncvs/src/sys/dev/syscons/syscons.h,v
retrieving revision 1.65
diff -u -r1.65 syscons.h
--- sys/dev/syscons/syscons.h 2001/03/11 22:48:03 1.65
+++ sys/dev/syscons/syscons.h 2001/04/18 07:29:32
@@ -163,6 +163,7 @@
#define SC_SCRN_IDLE (1 << 5)
#define SC_SCRN_BLANKED (1 << 6)
#define SC_SAVER_FAILED (1 << 7)
+#define SC_SCRN_FROZEN (1 << 8)
#define SC_INIT_DONE (1 << 16)
#define SC_SPLASH_SCRN (1 << 17)
Index: usr.sbin/vidcontrol/vidcontrol.1
===================================================================
RCS file: /home/ncvs/src/usr.sbin/vidcontrol/vidcontrol.1,v
retrieving revision 1.33
diff -u -r1.33 vidcontrol.1
--- usr.sbin/vidcontrol/vidcontrol.1 2001/04/18 07:21:58 1.33
+++ usr.sbin/vidcontrol/vidcontrol.1 2001/04/18 07:29:33
@@ -30,6 +30,7 @@
.Ar file
.Oc
.Op Fl g Ar geometry
+.Op Fl h Cm on | off
.Op Fl i Cm adapter | mode
.Op Fl l Ar screen_map
.Op Fl L
@@ -163,6 +164,11 @@
and
.Sx EXAMPLES
below.
+.It Fl h Cm on | off
+Freeze or unfreeze the console.
+When the console is frozen
+.Pq Cm on ,
+all attempts to switch to a different virtual terminal will fail.
.It Fl i Cm adapter
Shows info about the current video adapter.
.It Fl i Cm mode
Index: usr.sbin/vidcontrol/vidcontrol.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/vidcontrol/vidcontrol.c,v
retrieving revision 1.35
diff -u -r1.35 vidcontrol.c
--- usr.sbin/vidcontrol/vidcontrol.c 2001/04/09 17:24:29 1.35
+++ usr.sbin/vidcontrol/vidcontrol.c 2001/04/18 07:29:33
@@ -69,7 +69,7 @@
{
fprintf(stderr, "%s\n%s\n%s\n%s\n",
"usage: vidcontrol [-r fg bg] [-b color] [-c appearance] [-d] [-l scrmap]",
-" [-i adapter | mode] [-L] [-M char] [-m on|off]",
+" [-i adapter | mode] [-L] [-M char] [-m on|off] [-h on|off]",
" [-f size file] [-s number] [-t N|off] [-x] [-g geometry]",
" [mode] [fgcol [bgcol]] [show]");
exit(1);
@@ -470,6 +470,25 @@
}
void
+set_freeze(char *arg)
+{
+ int data;
+ int rv = 0;
+
+ if (strcmp(arg, "on") == 0)
+ data = 0x01;
+ else if (strcmp(arg, "off") == 0)
+ data = 0x02;
+ else {
+ warnx("argument to -h must be either on or off");
+ return;
+ }
+ rv = ioctl(0, CONS_FREEZE, &data);
+ if (rv)
+ warn("ioctl(CONS_FREEZE)");
+}
+
+void
set_border_color(char *arg)
{
int color;
@@ -648,7 +667,7 @@
info.size = sizeof(info);
if (ioctl(0, CONS_GETINFO, &info) < 0)
err(1, "must be on a virtual console");
- while((opt = getopt(argc, argv, "b:c:df:g:i:l:LM:m:r:s:t:x")) != -1)
+ while((opt = getopt(argc, argv, "b:c:df:g:h:i:l:LM:m:r:s:t:x")) != -1)
switch(opt) {
case 'b':
set_border_color(optarg);
@@ -674,6 +693,9 @@
warnx("incorrect geometry: %s", optarg);
usage();
}
+ break;
+ case 'h':
+ set_freeze(optarg);
break;
case 'i':
show_info(optarg);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418080952.52F3E3E09>