Heads up for login managers
Steve Grubb
sgrubb at redhat.com
Mon Feb 12 19:42:01 UTC 2007
On Monday 12 February 2007 14:22, David Zeuthen wrote:
> On Mon, 2007-02-12 at 14:10 -0500, Steve Grubb wrote:
> > "It allows users to switch between user accounts on a single PC without
> > quitting applications and logging out."
> >
> > So it seems to indicate that UID is the right granularity.
>
> No. Again, it's a (mild?) security problem if an inactive session can
> spy on another session using sound or webcam capture. Just think of
> bored grad students in a computer lab.
Inactive sessions should have no access to hardware. Any kind of simultaneous
sharing has potentially created a covert channel. Besides, why does
considering UID to be the session identifier lead to people being able to spy
on each other?
> Hence why we need to revoke access to devices for inactive sessions.
Agreed.
> Also why we need to track the sessions. Right now XDG_SESSION_COOKIE
> provides that mechanism and I'm asking for a kernel extension so we
> don't need to rely on an environment variable being set.
So could UID. All you need is a unique identifier for each session. UID can do
that. Whatever you use, it has to be auditable.
> I'm _not_ suggesting to depart from file access being managed only by
> uid:gid, I'm just saying we need that + revoke().
I still don't see why a cookie provides protection and UID does not.
-Steve
More information about the Fedora-maintainers
mailing list