Hi all,
I'm trying to get x11spice and spice-html5, at least as packaged for
Fedora, into a pretty much 'turn key' state.
I've got 3 use cases. The first is user A sharing their current
desktop, either for themselves, or to get help. That case is largely
done, imho, modulo some documentation and perhaps some streamlining.
The second is user A getting access to a new session for themselves. I
don't feel blocked on this case; the work should be straight forward, if
fiddly (I may regret those words; doing a secure 'su' like function out
of apache may be harder than I think).
The 3rd case, however, has me troubled. This is the case that user A
(potentially apache) starts x11spice which then does an xdmcp request to
gdm, and eventually supports a log in by user B. This makes it
challenging to provide a way for user B to launch a spice agent or a
pulseaudio daemon and have it securely connect back to the spice process
started by user A. The approach I've used in the past is to have a
privileged binary use information from an X atom to adjust socket
permissions. But that feels unsatisfying, and it seems to me that this
is an area with a lot of modern thinking that I've largely missed.
As an added complexity, in the ideal case, you have a vdagent running as
user A during the login process, which knows to reap itself and give way
to a vdagent launched by user B.
I was hoping that others would have modern instincts on how to more
correctly implement the third use case. Clue bats or other ideas welcome.
Cheers,
Jeremy
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel