On Thu, 02.06.16 14:19, Paul Wouters (paul@xxxxxxxxx) wrote: > > > On Jun 1, 2016, at 09:48, Lennart Poettering wrote: > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > fix the inherent security problem: after logout a user should not be > > able consume further runtime resources on the system, regardless if he > > does that because of a bug or on purpose. > > You are redefining the meaning of (a graphical) logout. It simply > means another user can use the mouse, keyboard and screen of this > device. It makes no statement on whether the machines resources are > shared or not. Actually, with logind, current kernel, current X11 and/or wayland there's a very clear statement on sharing devices: logind will ensure that only the fg session can access the various evdev and DRM devices, and will suspend access for all sessions not currently in the fg. Similar, ACLs for a couple of other device nodes are patched depending on the fg session (but only for DRM and evdev the ongoing connection of bg users is suspended, as there's no concept of a generic revoke() in the Linux kernel, but only DRM and evdev-specific mechanisms). Locking this down properly, so that background sessions or even non-console logins don't get access to your devices has been something various folks from various communities have been working on for a while. So yeah, sessions (as defined by logind) are a security concept already, and they will make sure that only the right users get access to the devices at the right times. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
