Heads up for login managers
David Zeuthen
davidz at redhat.com
Mon Feb 12 17:27:46 UTC 2007
On Mon, 2007-02-12 at 12:08 -0500, Steve Grubb wrote:
> > Suffice to say it's been discussed on a number of lists, it's been
> > designed with security in mind and I also mentioned it doing my two
> > talks at LCA. Also had a lot of private exchanges with people about it.
> > I'd welcome a "security review" by you and others involved in
> > security-related matters in Fedora; it would be nice if you could do
> > that, thanks.
>
> Yes, I will look it over.
Thanks, appreciate it.
To get you started, keep in mind the major change here is to deny
service from e.g. HAL to inactive sessions. Much like we already deny
service to HAL for non-console users. To e.g. ensure that an inactive
session doesn't do things like suspending the system.
This is *hard*; how does a system service like HAL *know*, in a secure
way, what desktop session a caller originates from? The solution was to
use an environment variable XDG_SESSION_COOKIE; e.g. membership of a
desktop session is defined by knowledge of this secret. So we can get
the process id of the caller and from there ConsoleKit (running with
sufficient privileges) can look up into /proc for that process and peek
at what XDG_SESSION_COOKIE is set to.
Keep in mind the way of using an environment variable is all
implementation details right now and abstracted by ConsoleKit at this
point. E.g. if we could securely tag a process with a cookie and ensure
that it's inherited by child processes and said child processes cannot
change it we're good. And then we can use this mechanism instead of the
rather ugly way of using environment variables. Unfortunately, to my
knowledge at least, the Linux kernel don't yet support something like
this.
David
More information about the Fedora-maintainers
mailing list