On Thu, 02.06.16 14:19, Paul Wouters (paul(a)nohats.ca) wrote:
> On Jun 1, 2016, at 09:48, Lennart Poettering wrote:
> Any scheme that relies on unprivileged programs "being nice" doesn't
> fix the inherent security problem: after logout a user should not be
> able consume further runtime resources on the system, regardless if he
> does that because of a bug or on purpose.
You are redefining the meaning of (a graphical) logout. It simply
means another user can use the mouse, keyboard and screen of this
device. It makes no statement on whether the machines resources are
shared or not.
Actually, with logind, current kernel, current X11 and/or wayland
there's a very clear statement on sharing devices: logind will ensure
that only the fg session can access the various evdev and DRM devices,
and will suspend access for all sessions not currently in the
fg. Similar, ACLs for a couple of other device nodes are patched
depending on the fg session (but only for DRM and evdev the ongoing
connection of bg users is suspended, as there's no concept of a
generic revoke() in the Linux kernel, but only DRM and evdev-specific
mechanisms). Locking this down properly, so that background sessions
or even non-console logins don't get access to your devices has been
something various folks from various communities have been working
on for a while.
So yeah, sessions (as defined by logind) are a security concept
already, and they will make sure that only the right users get access
to the devices at the right times.
Lennart Poettering, Red Hat