Fast User Switching and security / SELinux

David Zeuthen david at fubar.dk
Tue Dec 19 23:04:29 UTC 2006


On Tue, 2006-12-19 at 17:14 -0500, Karl MacMillan wrote:
> Reading through http://fedoraproject.org/wiki/Desktop/FastUserSwitching, 
> I had two questions.
> 
> 1) Any work ongoing to look at the security of this solution. For 
> example, the proposed fix for device ownership allows multiple users to 
> use devices simultaneously. This could have serious security 
> implications (e.g., monitoring VIOP calls made by another user).

No code yet, plans include using ACL's on device nodes and have *some*
way of specifying whether a device of a given class can have multiple
owners or not. Preferably specifying this so it can be locked down.
Whether the driver in question support multiple openers (it varies, even
within the same class e.g. ALSA) is another question. 

All this will probably mean replacing pam-console with *something*, not
a bad idea anyway since pam-console is one reason that e.g. udev takes a
long time to start. It just does a lot of work on every uevent that it
doesn't need to do.

Again, no code is written yet. For discussion please follow up on the
Wiki page, not on this mailing list (as such, Karl, please add notes to
the Wiki page). Thanks.

     David





More information about the fedora-devel-list mailing list