lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 21 Jun 2011 14:30:04 -0400
From:	Neil Horman <nhorman@...driver.com>
To:	Stephen Hemminger <shemminger@...tta.com>
Cc:	Prarit Bhargava <prarit@...hat.com>, netdev@...r.kernel.org,
	davem@...emloft.net, agospoda@...hat.com, nhorman@...hat.com,
	lwoodman@...hat.com
Subject: Re: [PATCH]: Add Network Sysrq Support

On Tue, Jun 21, 2011 at 10:08:58AM -0700, Stephen Hemminger wrote:
> On Tue, 21 Jun 2011 09:00:40 -0400
> Prarit Bhargava <prarit@...hat.com> wrote:
> 
> > Add Network Sysrq Support
> > 
> > In some circumstances, a system can hang/lockup in such a way that the system
> > is completely unresponsive to keyboard or console input but is still
> > responsive to ping.  The config option, CONFIG_SYSRQ_PING, builds
> > net/ipv4/sysrq-ping.ko which allows a root user to configure the system for
> > a remote sysrq.
> > 
> > To use this do:
> > 
> > mount -t debugfs none /sys/kernel/debug/
> > echo 1 > /proc/sys/kernel/sysrq
> > echo <hex digit val> > /sys/kernel/debug/network_sysrq_magic
> > echo 1 > /sys/kernel/debug/network_sysrq_enable
> > 
> > Then on another system on the network you can do:
> > 
> > ping -c 1 -p <up to 30 hex digit val><hex val of sysrq> <target_system_name>
> > 
> > ex) sysrq-m, m is ascii 0x6d
> > 
> > ping -c 1 p 1623a06f554d46d676d <target_system_name>
> > 
> > Note that the network sysrq automatically disables after the receipt of
> > the ping, ie) it is single-shot mode.  If you want to use this again, you
> > must complete the above four steps again.
> > 
> > Signed-off-by: Prarit Bhargava <prarit@...hat.com>
> 
> Isn't same functionality already available with netconsole?
Negative, netconsole is a unidirectional protocol.  It registers no rx_hook and
so it doesn't receive frames.  It could be added, and we could add this
functionality that way, but that would seem wierd (to me at least):

1) It would mean that netconsole was writeable, which means we would need a
utility on the remote server to do that writing to the proper udp port

2) Said utility in (1) would have some security concerns, unless we implemented
the exact same magic key sequencing that prarit has here.  Otherwise any
attacker could send an unsolicited request to the netconsole port on a system.
I like the idea of keeping this functionality separate from a feature that gets
such wide use in a production environment.

I've hacked this kind of feature together to solve this problem a few times now,
I think it would be good to have it as a well defined feature permanently.
Acked-by: Neil Horman <nhorman@...driver.com> 

> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ