Heads up for login managers
David Zeuthen
davidz at redhat.com
Mon Feb 12 20:25:03 UTC 2007
On Mon, 2007-02-12 at 14:52 -0500, Alan Cox wrote:
> Tell me why your security model gains from poking around unreliably in the
> environment of a task (which is also btw really slow and a path we optimise
> against not for) as opposed to operating on the uid.
There's no changes in the security model; any login session from user
FOO can access resources over D-Bus from all of FOO's login sessions by
tweaking XDG_SESSION_COOKIE. They also be able to access device files
without any problems. This is like pam_console. No changes. You might
even consider it a feature.
We need XDG_SESSION_COOKIE to make sure what desktop session a D-Bus
call originates from. We can't use uid for this because you might be
logged in multiple times and at different seats. For example; if you're
inactive at seat A you should not be able to invoke Mount() on HAL on a
storage device that is exclusive to seat A just because you're active on
seat B. We can do this securely only with XDG_SESSION_COOKIE. If we used
uid it wouldn't be secure.
I refuse to be part of designing a system that cannot allow multiple
logins from the same user. I hope I'm not the only one.
David
More information about the Fedora-maintainers
mailing list