On 06/02/2016 02:19 PM, Paul Wouters wrote:
On Jun 1, 2016, at 09:48, Lennart Poettering wrote:

Any scheme that relies on unprivileged programs "being nice" doesn't
fix the inherent security problem: after logout a user should not be
able consume further runtime resources on the system, regardless if he
does that because of a bug or on purpose.
You are redefining the meaning of (a graphical) logout. It simply means another user can use the mouse, keyboard and screen of this device. It makes no statement on whether the machines resources are shared or not.   

It allows you to kill anything that has to do with the user controlling the screen, keyboard and mouse but the killing should be limited to those processes. And then we are back at "just fix those broken processes".
Actually, we have the capacity for dual login (switching users), where the first session is still active, and the new user runs his display session on a different console which grabs the mouse, keyboard and screen devices. The proposed change, as I understand it now, allows the processes from the first session to continue running.