Why sysrq is limited to only "sync" command on official fedora kernel?

Reindl Harald h.reindl at thelounge.net
Wed Feb 25 20:49:48 UTC 2015

Am 25.02.2015 um 21:38 schrieb Zdenek Kabelac:
> Dne 25.2.2015 v 18:44 Reindl Harald napsal(a):
>> Am 25.02.2015 um 18:37 schrieb Paul Wouters:
>>> On Wed, 25 Feb 2015, Lennart Poettering wrote:
>>>> Hmm? Syncing is allowed to my knowledge. C-a-d and gdm allow a clean
>>>> reboot/poweroff. But sysrq does an abnormal reboot/poweroff, which we
>>>> cannot allow. Similar, remounting read-only is also security senstive,
>>>> which we cannot allow.
>>>> Without being logged in there's very little you can do on a host right
>>>> now, and sysrq should not open up more there by default.
>>> You must have forgotten your university days....
>>> The alternative to not being able to sync-umount-boot using sysrq is to
>>> flip the switch. I'd rather have them use sysrq.
>>> I said it when they closed X ctrl-alt-backspace and I'll say it now.
>>> When you are on console with the power plug, preventing these actions
>>> is stupid
>> when you are on a machine where you have pysical only keyboard and
>> mouse it is
>> not - not every PC stands in front of your face - think about kiosk
>> mode and
>> so on...
> When I read such answers - I always wonder myself - how many kiosk ever
> run Fedora...
> It's such a bad idea to optimize Fedora for one-in-milion users and
> those 999.999 has to suffer instead of require 1 guy to configure more
> secure version

you can be sure that the need for sysrq is the one-in-milion users just 
because i am a *heavy user* with a lot of setups and used it 4 times in 
the past 12 years while restricted it to "kernel.sysrq = 20" long before 
the systemd change

it's such a bad idea to *not* optimize out-of-the box for security

the ones which don't care can disable it, most won't care, nor have a 
need nor do they even know about a lot of things - this users are also 
not in the position to fix bad security defaults because they have no 
idea about it

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150225/f4a79802/attachment-0001.sig>

More information about the devel mailing list