Heads up for login managers
David Zeuthen
davidz at redhat.com
Mon Feb 12 19:18:41 UTC 2007
On Mon, 2007-02-12 at 19:58 +0100, Tomas Mraz wrote:
> On Mon, 2007-02-12 at 13:41 -0500, David Zeuthen wrote:
> > On Mon, 2007-02-12 at 13:36 -0500, Alan Cox wrote:
> > > We use a cookie called "uid" and one called "gid".
> >
> > The problem is that these are not per-session; am not sure why that is
> > so difficult to understand.
>
> The session is just uid + time when the user is logged on/active. As
> Alan wrote in his other e-mail - you should base the session management
> authorization checks on the uid+time notion and use the session cookie
> just as advisory. Otherwise you're creating just another path which can
> be used to elevate priviledges. But perhaps you already check that in
> ConsoleKit - I didn't read the source yet.
The checks against XDG_SESSION_COOKIE is only used to limit access,
never to grant access; the algorithm is for e.g. checking whether a
called is allowed to call e.g. Mount() or Suspend() on HAL goes like
this
1. Someone calls into HAL; we get the uid and pid
2. /var/run/console is checked for the uid; if user is not there
we deny (this is actually done in the system message bus daemon)
3. We ask ConsoleKit for the Session object given the caller's pid
and then ask ConsoleKit whether that Session is active. If
ConsoleKit says no, we deny (this is done in HAL)
(As you can see from the Wiki I linked to, ConsoleKit is actively
tracking the active session)
Today pam_console is responsible for maintaining /var/run/console but
for Fedora 8 I envision ConsoleKit completely replacing pam_console as
it keeps tracks of users given that display managers (like gdm) is using
it.
For device file management in Fedora 7, HAL will be modified to grant /
remove ACL's on device files when users log in or out. HAL will use
ConsoleKit to do be notified of these events. If we want we could also
grant / remove ACL's (and call revoke()) when sessions become active /
inactive. The webcam example I posted in another mail comes to mind
here; you really don't want inactive sessions to use the webcam to spy
on the user in the active session. Ditto for sound cards.
David
More information about the Fedora-maintainers
mailing list