snapd

pressing ctrl-alt-del on an attached USB KBD allows rebooting locked down devices

Bug #1929539 reported by Oliver Grawert on 2021-05-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	In Progress	Undecided	Frederik Du Toit Lotter
	snapd	In Progress	Wishlist	Frederik Du Toit Lotter

Bug Description

if you have an otherwise locked down ubuntu core device, it is easily possible to trigger a reboot by just attaching a USB kbd and hit ctrl-alt-del. this is indeed unwanted on such devices, there should be a way to mask the systemd ctrl-alt-del target from i.e. a gadget option.

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2021-05-25:

Imho, it makes sense for that target to be symlinked to /dev/null by default in core snaps (core, core18, core20, core22).

And also make it writable. Such that device owners can set it to something else, like reboot.target.

And if it is writable, it could be then be customized at image creation time via hooks / tweaks done to the writable partitions.

This will need checking with snapd/foundations teams too, in case they want something else for it (i.e. enforcing this in different grades of UC20 models; and/or having some snap command API for this)

Revision history for this message

Ian Johnson (anonymouse67) wrote on 2021-05-25:

We already allow configuring the power button action via `snap set system system.power-key-action=poweroff|sleep|ignore|...`, this sounds very similar in scope.

No idea what to call it though? Is there another name for this action (pressing ctrl+alt+del)?

In any case, we would probably do as xnox suggests and make the ctrl+alt+del do nothing by default, and then allow changing that behavior through snap system configuration. Whether that's through a systemd symlink or a config file or whatever would need to be figured out too.

Changed in snapd:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Oliver Grawert (ogra) wrote on 2021-09-13 (last edit on 2021-09-13):

shouldn't simply adding it to:

https://github.com/snapcore/snapd/blob/master/overlord/configstate/configcore/services.go#L41

be sufficient to have a "ctrl-alt-del: disable" gadget.yaml option that will simply mask the service ?

Revision history for this message

Oliver Grawert (ogra) wrote on 2021-09-14:

so i did some tinkering, a simple

"sudo systemctl mask ctrl-alt-del.target"

and

"sudo systemctl unmask ctrl-alt-del.target"

work very well to dis/enable the ctrl-alt-del key combo ... adding "ctrl-alt-del.target" to the above code will additionally to sysd.Mask()/.Umask() also call sysd.Stop() and sysd.Start() when setting or unsetting the option ... and while .Stop() is a no-op, .Start() actually triggers a reboot.

So beyond just adding ctrl-alt-del.target to the list in line 41 in services.go, there needs to be some code to make it skip Stop()/Start() for units ending in .target, but that should be all that's needed here to have a gadget.yaml option for customers to disable it per-image.

Frederik Du Toit Lotter (flotter) on 2021-11-25

Changed in snapd:
assignee:	nobody → Frederik Du Toit Lotter (flotter)

Frederik Du Toit Lotter (flotter) on 2021-12-08

Changed in snappy:
assignee:	nobody → Frederik Du Toit Lotter (flotter)

Maciej Borzecki (maciek-borzecki) on 2021-12-09

Changed in snapd:
status:	Confirmed → In Progress
Changed in snappy:
status:	New → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.