On 06/02/2016 02:19 PM, Paul Wouters wrote:
> On Jun 1, 2016, at 09:48, Lennart Poettering wrote:
> Any scheme that relies on unprivileged programs "being nice" doesn't
> fix the inherent security problem: after logout a user should not be
> able consume further runtime resources on the system, regardless if he
> does that because of a bug or on purpose.
You are redefining the meaning of (a graphical) logout. It simply means another user can
use the mouse, keyboard and screen of this device. It makes no statement on whether the
machines resources are shared or not.
It allows you to kill anything that has to do with the user controlling the screen,
keyboard and mouse but the killing should be limited to those processes. And then we are
back at "just fix those broken processes".
Actually, we have the capacity
for dual login (switching users), where
the first session is still active, and the new user runs his display
session on a different console which grabs the mouse, keyboard and
screen devices. The proposed change, as I understand it now, allows the
processes from the first session to continue running.