From b74256d2b956c73ed81cdffc17b57de77eeeb815 Mon Sep 17 00:00:00 2001 From: Christopher Jeffrey Date: Thu, 18 Sep 2014 14:38:54 -0700 Subject: [PATCH] disable alt+sysrq. --- README | 9 +++++++++ slock.c | 22 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/README b/README index d39e2f5..f38843c 100644 --- a/README +++ b/README @@ -31,6 +31,15 @@ Changes by chjj wrong password or pressed ALT/CTRL/F1-13/SYSRQ. See twilio_example.h to create a twilio.h file. You will need a twilio account to set this up. +- Disabling alt+sysrq before shutting down: This prevents an attacker from + alt+sysrq+k'ing the screenlock quickly before the shutdown. + + - This requires a sudoers option to be set in /etc/sudoers: + + - [username] [hostname] =NOPASSWD: /usr/bin/tee /proc/sys/kernel/sysrq + + You must change [username] and [hostname] to your username and the hostname + of the machine. Requirements ------------ diff --git a/slock.c b/slock.c index faee62a..1bb6d7e 100644 --- a/slock.c +++ b/slock.c @@ -148,6 +148,18 @@ error: return NULL; } +// Disable alt+sysrq - keeps the attacker from alt+sysrq+k'ing our process +static void +disable_sysrq(void) { +#if POWEROFF + // Needs sudo privileges - alter your /etc/sudoers file: + // [username] [hostname] =NOPASSWD: /usr/bin/tee /proc/sys/kernel/sysrq + system("echo 0 | sudo tee /proc/sys/kernel/sysrq > /dev/null"); +#else + return; +#endif +} + // Poweroff if we're in danger. static void poweroff(void) { @@ -160,6 +172,10 @@ poweroff(void) { execvp(args[0], args); execvp(args_legacy[0], args_legacy); fprintf(stderr, "Error: cannot shutdown. Check your /etc/sudoers file.\n"); + // Needs sudo privileges - alter your /etc/sudoers file: + // [username] [hostname] =NOPASSWD: /usr/bin/tee /proc/sys/kernel/sysrq,/usr/bin/tee /proc/sysrq-trigger + // system("echo 1 | sudo tee /proc/sys/kernel/sysrq > /dev/null"); + // system("echo o | sudo tee /proc/sysrq-trigger > /dev/null"); #else return; #endif @@ -420,6 +436,9 @@ readpw(Display *dpy, const char *pws) // Poweroff if there are more than 5 bad attempts. if(lock_tries > 5) { + // Disable alt+sysrq + disable_sysrq(); + // Take a webcam shot of whoever is tampering with our machine: webcam_shot(0); @@ -482,6 +501,9 @@ readpw(Display *dpy, const char *pws) case XK_F11: case XK_F12: case XK_F13: + // Disable alt+sysrq + disable_sysrq(); + // Take a webcam shot of whoever is tampering with our machine: webcam_shot(0);