Hello, On Wed, Sep 23, 2015 at 10:05:40AM -0400, David Mansfield wrote: > Hi, > > The attached is a very simple patch, which is working but possibly not > suitable for inclusion at this point, that locks the x11 session when the > client disconnects. > > Locking is performed using "xdg-screensaver lock", which seems like an ok > implementation given that "xdg-open" is used in the file-transfer code. > > I looked at the ovirt-guest-agent code and that agent also locks the session > on disconnect unless specifically disabled. > > Citrix (ICAClient) sessions also automatically lock when the client > disconnects. > > Other thoughts: > > 1) Should text consoles be considered? (me: NO) > > 2) Does GDM need any special exception? (me: needs to be tested) > > 3) Is there any point checking the exit status of the lock command? (me: NO) > > 4) Should the lock command be configurable? (me: grumble) I don't think this is particularly awesome feature for protocol aimed at virtualization (as opposed to remote connection to existing physical desktop). On a physical desktop locking the screen on disconnect (eg network problem) can be useful because you do not know what people have access to the physical desktop in some cases. On virtual desktop security is achieved by authenticating the user on connecting to the virtual desktop. If you want shared virtual machine with per-user authentication you should export the individual user desktops as opposed to the whole vitual machine. Any solution for secure desktop sharing when you cannot tell who else is virtually looking over your shoulder is going to be imperfect at best. You yourself excluded the virtual consoles - for what reason? Should they not be secured as much as graphical desktops? Have you considered that it's possible to run multiple graphical desktops on the machine? On the other hand, if you achive running enough of the spice agent in the user session that the user can connect only when his graphical session is running and only to his own desktop then you have the desired security and the locking is again non-issue because the user can only connect to his session and when another user connects he connects to his own session. However, when you are there you can run the xdg-screensaver because you are running (part of) the ageent in the user session context (with pointers to the correct X11, dbus and whatnot sockets) and the script then presumably knows which screensaver is to be invoked. There are (non-spice) solutions for starting Xvfb or similar on demad when a user tries to connect to a virtual desktop server. You can probably adapt one of those if nobody has done it so far. This will be particularly interesting for USB device connections. > > 5) Should the lock-on-disconnect be optional and what default value? (me: > default: lock) It should definitely be configurable. > > 6) If lock-on-disconnect is optional, how to configure? (me: Because the > process we care about is running in a specific user session, configuration > may be left to the user, and so possibly ~/.spice-vdagent.conf). Note: > there are other options to spice-vdagent that I can't see how anyone would > be able to control using configuration files. > > 7) Windows agent feature parity? You can possibly invoke the fast user switch feature or session lock feature which is (unlike xdg-screensaver) designed to be reasonably secure. If you can achieve invoking it programmatically. Thanks Michal _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel