[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Run Another X Window as Another User?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim wrote:
> On Fri, 2006-05-26 at 00:01 -0400, Todd Zullinger wrote:
>> Gnome has user switching but it's disabled in FC5 "due to console
>> permission issues" according to the list of common bugs and issues
>> in FC5[1].
> 
> I thought it was more than just "console issues", as you don't get
> sound, either.  And what about when you plug in hotplugable items
> (flash drives, etc.), which user gets to own them?

Those are all basically console permission issues.  Console in this
context isn't the terminal screens on VT 1-6, it's referring more
generally to the system the user is sitting in front of (I hope that
makes some sense, I realize I've worded it poorly :).

Depending on what your situation is, the permission issues may not be
of much concern to you.  I setup an FC5 system for one of my friends
kids and I wanted the whole family to be able to use the system so
they could see how cool free software could be.

I found it annoying that the user switching wasn't enabled so I set
about trying to fix it.  As the kids are only 6, there's not a lot of
worry about them taking advantage of any local security issues to gain
higher level access.

I installed the user switch applet and removed the patches from the
fedora gnome packages that disabled user switching from the
screensaver dialog.  Then I modified the console permissions by
creating 99-local.perms in /etc/security/console.perms.d to relax the
permissions that are setup when a user is granted the console.  This
way when they switch users sound will work and other permissions get
set with group write perms instead of just owner write perms.

I haven't played much yet with flash drives and such, and I may need
to dig into gnome-mount to see how things are done there if there are
any issues about the permissions that filesystems on removable drives
are given.  I don't expect any of it to be too difficult to work out.
The security requirements for this system aren't so great, as all the
users of it trust one another.  In many other situations the changes I
made wouldn't be good security trade offs.

I do wish I was able to find more discussion of the issues, just for
my own enlightenment.  In bug #186685, Rahul Sundaram said that
fedora-test and -devel had various discussions about it, but in the
time I tried to search the archives I wasn't able to turn up those
threads.  It'd be nice those threads were linked to in the wiki or
bugzilla.

Anyway, it was a good chance to experiment.  I'll find out how well I
did when I deliver the computer.  I'm anxious to see how long it takes
to get some bug reports about my work and things I missed. :)

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Left to Her own devices, nature cures stupidity.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR2ujMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pZHwCg23v9ZLx05MejwZ+ZPm6VvovdeDoAoIad1j1l
KflkkSPcdZfJ898FUWZb
=egBs
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]