[patch] Auth method for console users
Kay Sievers
kay.sievers at vrfy.org
Mon Sep 27 18:26:24 UTC 2004
On Mon, 2004-09-27 at 11:16 -0400, Colin Walters wrote:
> On Mon, 2004-09-27 at 16:02 +0200, Kay Sievers wrote:
>
> > What about renaming it to _dbus_user_local_user() and search the logins
> > with getutent(). If host = "", it should be a local user :)
>
> Sounds bad to me; someone could login via ssh from anywhere, and then
> ssh to localhost, and then I think their second ssh session would be a
> "local login".
Then the host carries the local hostname and it is not empty, at least
here on my box.
> The idea with Fedora's pam_console is it should mean
> that the user has physical access to the machine.
>
> I don't think DBus can really be a generic authentication library -
Good valid point.
> probably HAL will just have to duplicate the code for checking console
> access inside a #ifdef HAVE_PAM_CONSOLE or something. On SuSE they will
> probably want to patch it to use resmgr, etc.
>
> > Sure, it's not nice, but may work on much more systems.
> >
> > We do a similar hack in udev, look for:
> > set_to_local_user(char *user) in
> > http://linuxusb.bkbits.net:8080/udev/anno/udev-add.c@1.73?nav=index.html|src/
>
> It's a bit unclear to me what the security relevance of that is - what
> additional privileges does a "local" user have for udev?
It is a devfs emulation feature. For devfsd it was possible to specify a
"-1" for the uid to get the "current local user".
During the transition from devfs to udev we had a request for that, but
I think nearly nobody will ever use that.
Thanks,
Kay
More information about the dbus
mailing list