Not on SysRq but on “alt + ctrl + F1”
@Patrick wrote:
Why “I” can do it but user “man” cannot? What makes “me” and user “man” different?
On non-Qubes Debian I am always wondering if I can switch a virtual console using ctrl + alt + F1, why can user “man” not? And how’s that different in Qubes?
@marmarek wrote:
This is about where the process is started and what has connected as controlling terminal. It isn’t anything Qubes specific. A non-privileged process cannot inject characters into a separate session (lets forget about X11 breaking all this assumptions, as we are talking about non-X11 session), especially if it’s of a different user, similarly as it cannot write to files it doesn’t have write permission. to. You can think of it as a write access to /dev/tty* (or /dev/hvc0 in this case). When you login on /dev/hvc0, login process (running as root) will setup permission to/dev/hvc0and also pass an open FD to it to your shell. Then, you (user, and that shell) will be able to interact with/dev/hvc0and specifically run commands connected to it. If you don’t login there, login process will not set the permissions, so you won’t have access.
This does assume kernel enforced permissions are effective, but as we are talking here about in-VM account isolation only, it’s a reasonable assumption.