Systemd provides two ctrl-alt-del keyboard hooks (enabled by default)
exposing Ubuntu Core to malicious reboot request attacks.
(1) Ctrl-alt-del single press
(2) Ctrl-alt-del burst (7 presses or more in 2 seconds)
These issues are acknowledged and one addressed in a systemd commit
(commit: 24dd31c19ede505143833346ff850af942694aa6, 231 and later) by providing
a config item for the systemd manager to disable the ctrl-alt-del burst action.
Meulengracht
commented
2 years ago
Systemd provides two ctrl-alt-del keyboard hooks (enabled by default) exposing Ubuntu Core to malicious reboot request attacks.
(1) Ctrl-alt-del single press (2) Ctrl-alt-del burst (7 presses or more in 2 seconds)
These issues are acknowledged and one addressed in a systemd commit (commit: 24dd31c19ede505143833346ff850af942694aa6, 231 and later) by providing a config item for the systemd manager to disable the ctrl-alt-del burst action.
Issue (1) is addressed in snapd by allowing the ctrl-alt-del.target to be masked (pull: https://github.com/snapcore/snapd/pull/11113)
Issue (2) is addressed in this patch by disabling burst action in the systemd manager config using a drop-in configuration file.
Testing: The ctrl-alt-del kernel sequence sends a SIGINT to PID1 (systemd).
The burst sequence was emulated by using a simple bash loop running on Ubuntu Core (Raspberry Pi 3).
$ while [ true ]; do sudo kill -s SIGINT 1; done
No drop-in: reboot Drop-in config CtrlAltDelBurstAction=reboot-force: reboot Drop-in config CtrlAltDelBurstAction=none: no reboot
This patch adds a drop-in systemd config with CtrlAltDelBurstAction=none
The drop-in config file prefix number is set at 11. This follows on 10 which can be generated by snapd for systemd watchdog control.
Also see:
https://www.stigviewer.com/ stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71993
https://www.stigviewer.com/ stig/red_hat_enterprise_linux_8/2021-03-04/finding/V-230531
Signed-off-by: Fred Lotter fred.lotter@canonical.com