It should be 'secure attention key', my mistake. I read about it on https://en.m.wikipedia.org/wiki/Secure_attention_key , and I understand it as a security feature, am I wrong with that?I've never heard of the ctrl+alt+del sequence being referred to as a "security feature" in windows. I have absolutely no idea what you're talking about really.
From what I understand, the feature is only for the case where a normal user (as opposed to the root) is compromised, with the intruder still unable to change how the kernel reacts toSounds like a nice feature in theory but how is first pressing a keyboard sequence any different from just typing/selecting your user name and entering your password? If you assume that parts of the system are compromised how can you trust the supposedly "secure" login system?
I kinda get what the wikipedia article talks about but that would require special hardware support for displaying a login that can not be tampered with because it's triggered by the special key combination trough the hardware and can not be interfered by the operating system. FreeBSD has no support for such mechanism afaik.
Any software solution wouldn't be secure because you would then have to ask the classic question "who watches the watchers" to convince yourself that the solution is secure and you know where that leads.
Ctrl+Alt+Del
, and hungrily waiting for the next su
.Also, how much improvement can such a sequence actually bring in terms of security?
Maybe the intruder could just compromise a user in theNone that I can think of. It only protects against one kind of attack, and on a Unix system in which a fake login is installed the intruder has already gained a level of access beyond some lowly user's account.
It's probably much more profitable to attack the source code tree or package repository directly, where a key logger could be installed on an indefinite number of systems and run in the background, gathering more useful information than a user's system login credentials.
wheel
group and modify his $PATH
to present him with a fake su
, so the intruder doesn't really have to install a fake login
for the whole system, which roughly means that on a system without the SAK feature, compromise of a wheel
user will lead to compromise of the whole system. Not sure if I'm understanding correctly though...But even then this can be easily thwarted (somewhat): always change the active console to something else before you log on.The only use I can see is something like a public library network, there's little benefit among a group of trusted users.
Maybe the intruder could just compromise a user in the wheel group and modify his $PATH to present him with a fake su, so the intruder doesn't really have to install a fake login for the whole system...
Having difficulty understanding this. An intruder still need to steal the root password when they have access to a wheel account, don't they? And lack of SAK feature will facilitate this final step of getting the password?If you can access a wheel user account, you have access to the root account.
If the system has security/sudo installed and configured to allow users inHaving difficulty understanding this. An intruder still need to steal the root password when they have access to a wheel account, don't they? And lack of SAK feature will facilitate this final step of getting the password?
wheel
to run commands as root
, then no other password is needed to become root
.This is correct, although su and sudo are different things.If the system has security/sudo installed and configured to allow users inwheel
to run commands asroot
, then no other password is needed to becomeroot
.
If the system has security/sudo installed and configured to allow users inwheel
to run commands asroot
, then no other password is needed to becomeroot
.
wheel
, it doesn't really matter if they are restricted to only some commands because they would have full control of the system. The OpenBSD developers created doas
because they perceived sudo(8) and its configuration to be too complex. The default behavior of doas
is also identical to the behavior I described before.I don't see that as a vulnerability in sudo(8) at all. If someone were to break into an account inwheel
, it doesn't really matter if they are restricted to only some commands because they would have full control of the system. The OpenBSD developers createddoas
because they perceived sudo(8) and its configuration to be too complex. The default behavior ofdoas
is also identical to the behavior I described before.
Isn't that why people who really want security do not use a wheel group in sudoers, but setup sudoers to only run certain things?
It would be interesting to have such a sequence always trapped by the kernel, but I don't see how it can be implemented with the variety of user interfaces (TTY, GUI/WM and SSH). Even with SSH, I wonder if the fingerprint it displays at first (when the IP address changes) couldn't just be printed by a criminal, and wait for my response.