Why is magic sysrq disabled by default?

Webmaniac2 · 2020-02-02 14:20:05

Hey everyone,

I've just found out that the magic Sysrq Key on Arch is disabled by default. What's the reason for this decision? Are there any security risks
by enabling it? It would be nice to hear some insights from the developers!

best regards
Webmaniac

twelveeighty · 2020-02-02 17:30:53

The devs typically don't lurk in the forums, so if you want a true dev to answer you'll have to post to the mailing list, However, isn't it set up the most "Arch" way possible: upstream only defines CONFIG_MAGIC_SYSRQ and sets it to 'y', which is kept as-is on Arch. Upstream does not define CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE, which I assume means it's set to 0x0 by default, which means the Arch value matches upstream. If you want to change its setting, because CONFIG_MAGIC_SYSRQ=y, you can use sysctl/systemd config to set CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE either temporarily or permanently at runtime.

Thorsten Reinbold · 2020-02-02 17:50:35

Webmaniac2 wrote:

Are there any security risks
by enabling it?

AFAIK: yes. For Desktop-Systems, this shouldn't be a thing, but there aren't only People running Desktops out there, so the feature is disabled by default. Feel free to enable it, it's really easy.

Last edited by Thorsten Reinbold (2020-02-02 17:51:25)

WorMzy · 2020-02-02 18:01:28

The upstream default for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE is 0x1. Arch explicitly set it to 0x0 back when the 3.13 kernel was released (and this option was presumably added): https://git.archlinux.org/svntogit/pack … =a1bf3bc4d

I can't find an explanation behind this decision, but disabling sysrq was already an Arch decision, and one seemingly made for safety reasons (noted in https://bugs.archlinux.org/task/13769).

loqs · 2020-02-02 18:23:19

The upstream default set by systemd in /usr/lib/sysctl.d/50-default.conf is kernel.sysrq = 16

seth · 2020-02-02 18:23:37

I guess it's because w/ encrypted devices, there're different concepts of "physical access" and the sysreq could get you a root shell on an unencrypted device (what however implies that you already have physical access while the device is decrypted)
Another situation could be where rebooting is prohibited (in the OS) and you can have physical access to the keyboard, but not the system itself (eg. a banking terminal or whatever) in which case likewise the sysreq will get you unlimited access.

For a desktop/server w/o encryption etc. it doesn't matter. The sysreq implies that you have physical access and in that case you own the system anyway.

twelveeighty · 2020-02-04 01:36:02

WorMzy wrote:

The upstream default for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE is 0x1

I thought I was looking in the right place, but apparently not: where do you see it being set to 0x1? I checked https://git.archlinux.org/svntogit/pack … ages/linux, and it (at time of writing) says:

#
# Generic Kernel Debugging Instruments
#
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0

loqs · 2020-02-04 04:50:40

@twelveeighty https://git.archlinux.org/linux.git/tre … arch1#n418

WorMzy · 2020-02-04 08:45:27

Sorry, forgot to include that in my post, thanks loqs.

Arch Linux

#1 2020-02-02 14:20:05

Why is magic sysrq disabled by default?

#2 2020-02-02 17:30:53

Re: Why is magic sysrq disabled by default?

#3 2020-02-02 17:50:35

Re: Why is magic sysrq disabled by default?

#4 2020-02-02 18:01:28

Re: Why is magic sysrq disabled by default?

#5 2020-02-02 18:23:19

Re: Why is magic sysrq disabled by default?

#6 2020-02-02 18:23:37

Re: Why is magic sysrq disabled by default?

#7 2020-02-04 01:36:02

Re: Why is magic sysrq disabled by default?

#8 2020-02-04 04:50:40

Re: Why is magic sysrq disabled by default?

#9 2020-02-04 08:45:27

Re: Why is magic sysrq disabled by default?

Board footer