Re: Brainstorming help with x11spice on socket permissions across users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
I didn't know you could do that. I suppose the solution is X11 only? It would be nice to have gnome-remote-desktop integration. Though GNOME seems more interested to support RDP these days (having a glib/gobject server library would certainly help them to consider Spice, *hint* ;) 

Yes, although I'm not sure Wayland support would be hard.



    The second is user A getting access to a new session for themselves.  I
    don't feel blocked on this case; the work should be straight
    forward, if
    fiddly (I may regret those words; doing a secure 'su' like function out
    of apache may be harder than I think).
Multiple user session is tricky. Afaik, this is mostly used for desktop development. The instructions to setup such environmnent change over time and desktop. Did I miss something? What's the use case?
The use case is I've got a server I'd like to get access to. I hit a web page, provide my credentials, and I have a full login session. Using xdmcp/gdm has the virtue of going through 'standard' channels. 




    The 3rd case, however, has me troubled.  This is the case that user A
    (potentially apache) starts x11spice which then does an xdmcp
    request to
    gdm, and eventually supports a log in by user B.  This makes it
    challenging to provide a way for user B to launch a spice agent or a
    pulseaudio daemon and have it securely connect back to the spice
    process
    started by user A.  The approach I've used in the past is to have a
    privileged binary use information from an X atom to adjust socket
    permissions.  But that feels unsatisfying, and it seems to me that this
    is an area with a lot of modern thinking that I've largely missed.

    As an added complexity, in the ideal case, you have a vdagent
    running as
    user A during the login process, which knows to reap itself and give
    way
    to a vdagent launched by user B.

    I was hoping that others would have modern instincts on how to more
    correctly implement the third use case.  Clue bats or other ideas
    welcome.
This is systemd/desktop territories, and I don't know what would be the best way to do all that. I would suggest you ask the gnome-remote-desktop & systemd/logind developpers, or other desktop developpers how they plan or not to solve it. 

Check, thanks.

Cheers,

Jeremy
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux Virtualization]     [Linux Virtualization]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]