Is the default Ctrl-Alt-Delete shutdown -r
functionality on Linux systems a dangerous feature?
Years ago, when I deployed physical systems with attached keyboards and monitors, I'd sometimes modify the /etc/inittab
on Red Hat systems to disable the reboot trap. This usually happened after a local IT person or Windows admin accidentally used the magic key combination on the wrong terminal/keyboard/window and rebooted their server.
# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
I haven't done this since the RHEL4 days, but newer systems seem to have a /etc/init/control-alt-delete.conf
file for this.
In the years since, most of my systems have been deployed headless or are running as virtual machines. This has reduced the frequency of unintended reboots... however, I've had a recent set of ctrl-alt-delete oopses from:
1). an IP KVM plugged into the wrong server by datacenter staff.
2). a Windows admin using the key combination in a VMware console, thinking it was needed for logon.
3). me using the ctrl-alt-delete macro in an HP ILO console to reboot a live CD... but it was actually the ILO for a very busy production server.
- Does it make sense to disable Ctrl-Alt-Delete reboot in Linux by default?
- Is this a common concern, or generally ignored?
- Are there any downsides to doing so?
- How do you handle this in your environment?
Edit: In fact, I just encountered this server, a virtual machine running for 1,115 days, root password unknown, and VMware tools were not installed (so Ctrl-Alt-Delete would be the only graceful shutdown option).
This can be useful for very, very seldom touched machines. Years after installation, if no-one can remember a login for the host, Ctrl-Alt-Delete will do proper shutdown and then let you use GRUB (or even LiLo!) to supply
rw init=/bin/bash
to the kernel and thus give you the chance to reset the root password.The above is also a way that Ctrl-Alt-Delete is dangerous even if physical access to the power/reset switches and power cables is prevented. A boot loader password (and BIOS password plus disabling of USB/CD-ROM boot and the boot menu key) can prevent this but makes legitimate emergency recovery more difficult.
If you have ILO/IPMI/... It makes absolute sense. The only reason for CTRLALTDEL was a magic trap when nothing else would interrupt. With a control card, you don't need that - you can reset the machine anyway. Needless to say, if the machine behaves correctly, you can always 'reboot'/'shutdown -r now'/'init 6'/'systemctl reboot' from console or gui.
I feel that the chances of accidental reboot via ctrl-alt-delete are much greater than the chances of a server's root password being forgotten, and therefore in production environments it makes sense to disable ctrl-alt-delete. I personally do this on my production systems.
The chances of a hard powercycle on a running linux host causing unrecoverable data corruption is small. In the hundreds of times I've done this over the years, I can't recall a single instance where the system wasn't able to fix itself (fsck) on boot. So I consider this a valid option on hosts where the root password is unknown, barring the availability of other methods for graceful shutdown.