Everyone can reboot the computer with ctrl-alt-delete, even without logging in. This can be fixed by removing the rule "ca:12345:ctrlaltdel:/sbin/shutdown -r now" in /etc/inittab. I suggest to remove this rule in the default configuration. Reproducible: Always Steps to Reproduce:
> Everyone can reboot the computer with ctrl-alt-delete, even without logging in. Not Everyone, you would have to be at the system console. And if you are at the system console, there are other things you can do as well, such as print a stack trace, register dump, view memory stats, change current console, use the Magic-Sysrq-Key, view scrollback buffer, Kill any X Session (default is Zap enabled), etc. These actions are not considered a security issue for users with physical access. Users who have access to the console are also granted privilges they would not normally be permitted..by default it's considered that a user with access to the system console is entitled to certain "extra" privieleges, they're so-called "console users" (for example, access to cdrom device..see console.perms console.apps man pages)...after all, as many computer security texts will explain, if an attacker has physical access to the target, all bets are off :) > This can be fixed by removing the rule "ca:12345:ctrlaltdel:/sbin/shutdown -r now" in /etc/inittab. That would stop the "soft" ctrlaltdel behaviour from doing anything. It would also prevent legitimate logged in users from rebooting the system (except root). Changing the command to use shutdown.allow might be a better solution for you. If you want to disable the "hard" reboot behaviour, you would have to remove the Boot keybinding from the keymap file. also, If you have magic-sysrq key enabled, you would also have to totally disable it's use via the sysctl. > I suggest to remove this rule in the default configuration. I think that is a really bad idea, this is expected behaviour and pages and pages of documentation would have to be modified, confusing a lot of users and administrators. I think you have a very unusual setup where a reboot by users with physical access is considered a security problem. There is lots of documentation available explaining how to change this behaviour if it's not suitable for you, and the inittab entry is pretty self-explanatory for administrators who want to change it.
I side with Tavis on this. It's a rare setup where a user sitting at the console cannot simply unplug the machine. In such a setup, it takes about two minutes to change this behavior. I hate to be the one to do so, but can we close this as INVALID/WONTFIX? I simply don't see this as poor default behavior.
agreed local access -> you can forget about security ;P
