<HTML
><HEAD
><TITLE
>Magic SysRq key</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Remote Serial Console HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Security"
HREF="security.html"><LINK
REL="PREVIOUS"
TITLE="Non-interactive boot sequence"
HREF="security-rhl-prompt.html"><LINK
REL="NEXT"
TITLE="Adjust behaviour of CtrlAltDelete"
HREF="security-ctrlaltdel.html"></HEAD
><BODY
CLASS="SECTION"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Remote Serial Console HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="security-rhl-prompt.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 9. Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security-ctrlaltdel.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECTION"
><H1
CLASS="SECTION"
><A
NAME="SECURITY-SYSRQ"
></A
>9.9. Magic <B
CLASS="KEYCAP"
>SysRq</B
> key</H1
><P
>The <SPAN
CLASS="QUOTE"
>"magic <B
CLASS="KEYCAP"
>SysRq</B
> key"</SPAN
> is a key
sequence that allows some basic commands to be passed directly to
the kernel. Kernel software developers use this interface to debug
their software. Under most circumstances it can also be used to
uncleanly reboot the computer, something that is otherwise
difficult or expensive to do remotely.</P
><P
>For computers that are not used for kernel software
development the magic <B
CLASS="KEYCAP"
>SysRq</B
> key makes an ideal
denial of service device. A few unauthenticated keystrokes and the
computer is dead in the water. The console, serial or otherwise,
must be in an area with access limited to trusted people.</P
><P
>The serial console uses the <SPAN
CLASS="ACRONYM"
>RS-232</SPAN
> break
function as the <SPAN
CLASS="QUOTE"
>"magic <B
CLASS="KEYCAP"
>SysRq</B
> key"</SPAN
>. A
<SPAN
CLASS="QUOTE"
>"break"</SPAN
> is a period of no transmission on the serial
line, on traditional terminals it is activated by pressing a key
labeled <B
CLASS="KEYCAP"
>Break</B
>.</P
><P
>Anyone can dial into a modem and send a break, so if the
serial console is attached to a modem we need to disable the magic
<B
CLASS="KEYCAP"
>SysRq</B
> key . If the serial console is attached to
a terminal server which asks for authentication, or is attached
directly to another terminal using a null modem cable then you may
decide to activate the magic <B
CLASS="KEYCAP"
>SysRq</B
> key.</P
><P
>The magic <B
CLASS="KEYCAP"
>SysRq</B
> key can be disabled by
setting a kernel variable or by not compiling support for the
key.</P
><P
>Writing a <TT
CLASS="LITERAL"
>0</TT
> into
<TT
CLASS="FILENAME"
>/proc/sys/kernel/sysrq</TT
> will disable the magic
<B
CLASS="KEYCAP"
>SysRq</B
> key. The command <B
CLASS="COMMAND"
>sysctl</B
>
can also be used:</P
><DIV
CLASS="FIGURE"
><A
NAME="SECURITY-SYSRQ-SYSCTL"
></A
><P
><B
>Figure 9-10. Using <B
CLASS="COMMAND"
>sysctl</B
> to defeat the magic
<B
CLASS="KEYCAP"
>SysRq</B
> key</B
></P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
><TT
CLASS="PROMPT"
>bash#</TT
> <B
CLASS="COMMAND"
>sysctl -w kernel.sysrq=0</B
></PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>Your Linux distribution may have a file
<TT
CLASS="FILENAME"
>/etc/sysctl.conf</TT
> which is used to run
<B
CLASS="COMMAND"
>sysctl</B
> during the boot of the machine. Add the
lines:</P
><DIV
CLASS="FIGURE"
><A
NAME="SECURITY-SYSRQ-SYSCTLCONF"
></A
><P
><B
>Figure 9-11. Configuring <TT
CLASS="FILENAME"
>/etc/sysctl.conf</TT
> to defeat
the magic <B
CLASS="KEYCAP"
>SysRq</B
> key</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># Disables the magic SysRq key
kernel.sysrq = 0</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>Even when setting the magic <B
CLASS="KEYCAP"
>SysRq</B
> key off in
<TT
CLASS="FILENAME"
>/etc/sysctl.conf</TT
> there is a period of
vulnerability after the kernel boots but before contents of the
file are applied.</P
><P
>It is much better to compile your own kernel and set the
following configuration parameter:</P
><DIV
CLASS="FIGURE"
><A
NAME="SECURITY-SYSRQ-MENUCONFIG"
></A
><P
><B
>Figure 9-12. Kernel <B
CLASS="COMMAND"
>make menuconfig</B
> showing disabled
<B
CLASS="KEYCAP"
>SysRq</B
> key</B
></P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
>Kernel hacking --->
[ ] Magic SysRq key</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><P
>This should place the following configuration parameter in
<TT
CLASS="FILENAME"
>/usr/src/linux/.config</TT
>.</P
><DIV
CLASS="FIGURE"
><A
NAME="SECURITY-SYSRQ-DOTCONFIG"
></A
><P
><B
>Figure 9-13. Kernel <TT
CLASS="FILENAME"
>.config</TT
> showing disabled
<B
CLASS="KEYCAP"
>SysRq</B
> key</B
></P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
># CONFIG_MAGIC_SYSRQ is not set</PRE
></FONT
></TD
></TR
></TABLE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="security-rhl-prompt.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security-ctrlaltdel.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Non-interactive boot sequence</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Adjust behaviour of <B
CLASS="KEYCAP"
>Ctrl</B
>-<B
CLASS="KEYCAP"
>Alt</B
>-<B
CLASS="KEYCAP"
>Delete</B
></TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
