systemctl mask ctrl-alt-del.target not working

Support for security such as Firewalls and securing linux
Post Reply
PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

systemctl mask ctrl-alt-del.target not working

Post by PeteH » 2018/12/21 14:43:54

Apologies if this is "old hat" but since stopping machines rebooting when ctrl-alt-del is pressed is sort of a security issue I'll ask the question here.

Ive tried
#systemctl mask ctrl-alt-del.target
#systemctl daemon-reload
and the more obscure
#ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target

Neither of them work, although I believe theres also an erro,r in that the linked file should be ctrl-alt-delete.target (since thats whats in the directory on a fresh install). If I send a ctrl-alt-del from a VMWare remote console even when ctrl-alt-delete.target is symlinked to /dev/null (or indeed ctrl-alt-delete.target symlinked to /dev/null) the machine still reboots. Any suggestions?

I'm really starting to miss /etc/inittab

Pete

User avatar
TrevorH
Forum Moderator
Posts: 26970
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: systemctl mask ctrl-alt-del.target not working

Post by TrevorH » 2018/12/21 15:18:08

Are you running a GUI on the machine? I tested masking ctrl-alt-del and if logged into gnome it comes up with a dialog box asking if I am sure I want to reboot. If I boot run runlevel 3 with it masked then it does nothing. If I unmask it and hit ctrl-alt-del in runlevel 3 then it reboots. So it's gnome intercepting the ctrl-alt-del and doing its own thing with it. Therefore you will need to disable both methods - systemctl mask ctrl-alt-del/target protects when at the cli.

https://access.redhat.com/solutions/1123873 seems to be the full list of things you have to do.
# cat /etc/dconf/db/local.d/00-disable-CAD
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
# dconf update
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

Re: systemctl mask ctrl-alt-del.target not working

Post by PeteH » 2018/12/21 15:49:17

Trevor,
No the machine is running command line only, no GUI involved. The only thing that's in any way different is that it's a VMWare VM not physical tin.

Pete

PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

Re: systemctl mask ctrl-alt-del.target not working

Post by PeteH » 2018/12/21 16:03:23

Trevor,
See attached.

You would think that should do it (and yes, this is a clean install from media). However if you send CTRL+ALT+DEL it reboots the box. All I can think of is that there's some discrepancy in the way the host machine processes the signal from the VMWare remote console. It's odd.

Pete
Attachments
screen.png
screen.png (41.75 KiB) Viewed 1218 times

User avatar
TrevorH
Forum Moderator
Posts: 26970
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: systemctl mask ctrl-alt-del.target not working

Post by TrevorH » 2018/12/21 18:02:42

My attempt was on a VM in VirtualBox and if I booted to the cli and ran systemctl mask ctrl-alt-del.target then used the vbox menu to send ctrl-alt-del to the VM then it did nothing. If I unmasked it and did the same then it rebooted.

So with it unmasked, /etc/systemd/system has no ctrl-alt-del.target entry at all. Once I mask it then it has

lrwxrwxrwx. 1 root root 9 Dec 21 17:56 ctrl-alt-del.target -> /dev/null

With that in place, if my VM is running gnome then I get a big popup when I hit Insert -> Keyboard -> Insert ctrl-alt-del but if I reboot and append 3 to the kernel command line to come up in cli mode and do the same then I get this in /var/log/messages

Dec 21 17:59:10 centos7 systemd: Received SIGINT.
Dec 21 17:59:10 centos7 systemd: Failed to enqueue ctrl-alt-del.target job: Unit is masked.

I can only assume that VMWare is doing something odd and not sending ctrl-alt-del at all but something else entirely that it thinks will do just as well (but doesn't).
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

PeteH
Posts: 6
Joined: 2018/12/20 17:34:39

Re: systemctl mask ctrl-alt-del.target not working

Post by PeteH » 2018/12/21 18:55:23

Trevor,
Very much what I'm thinking. The behaviour under the VMWare console is "odd" and I don't like odd. It's not a "show stopper" but it's just one of those things I normally like to deal with as part of a build.

Incidently, and just for reference, ctrl-alt-delete.target is symlinked by default on a fresh build to reboot.target.

Pete

User avatar
TrevorH
Forum Moderator
Posts: 26970
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: systemctl mask ctrl-alt-del.target not working

Post by TrevorH » 2018/12/21 19:03:11

VMware has some sort of Guest Additions thing you can build/compile/install. Maybe it's short circuiting the keyboard and communicating via those?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”