[Spice-devel] [RFC PATCH] [linux-vdagent] Lock screen on disconnect
Michal Suchanek
michal.suchanek at ruk.cuni.cz
Wed Sep 23 07:56:57 PDT 2015
Hello,
On Wed, Sep 23, 2015 at 10:05:40AM -0400, David Mansfield wrote:
> Hi,
>
> The attached is a very simple patch, which is working but possibly not
> suitable for inclusion at this point, that locks the x11 session when the
> client disconnects.
>
> Locking is performed using "xdg-screensaver lock", which seems like an ok
> implementation given that "xdg-open" is used in the file-transfer code.
>
> I looked at the ovirt-guest-agent code and that agent also locks the session
> on disconnect unless specifically disabled.
>
> Citrix (ICAClient) sessions also automatically lock when the client
> disconnects.
>
> Other thoughts:
>
> 1) Should text consoles be considered? (me: NO)
>
> 2) Does GDM need any special exception? (me: needs to be tested)
>
> 3) Is there any point checking the exit status of the lock command? (me: NO)
>
> 4) Should the lock command be configurable? (me: grumble)
I don't think this is particularly awesome feature for protocol aimed at
virtualization (as opposed to remote connection to existing physical
desktop).
On a physical desktop locking the screen on disconnect (eg network
problem) can be useful because you do not know what people have access
to the physical desktop in some cases.
On virtual desktop security is achieved by authenticating the user on
connecting to the virtual desktop. If you want shared virtual machine
with per-user authentication you should export the individual user
desktops as opposed to the whole vitual machine. Any solution for
secure desktop sharing when you cannot tell who else is virtually
looking over your shoulder is going to be imperfect at best. You
yourself excluded the virtual consoles - for what reason? Should they
not be secured as much as graphical desktops? Have you considered that
it's possible to run multiple graphical desktops on the machine?
On the other hand, if you achive running enough of the spice agent in
the user session that the user can connect only when his graphical
session is running and only to his own desktop then you have the desired
security and the locking is again non-issue because the user can only
connect to his session and when another user connects he connects to his
own session. However, when you are there you can run the xdg-screensaver
because you are running (part of) the ageent in the user session context
(with pointers to the correct X11, dbus and whatnot sockets) and the
script then presumably knows which screensaver is to be invoked.
There are (non-spice) solutions for starting Xvfb or similar on demad
when a user tries to connect to a virtual desktop server.
You can probably adapt one of those if nobody has done it so far.
This will be particularly interesting for USB device connections.
>
> 5) Should the lock-on-disconnect be optional and what default value? (me:
> default: lock)
It should definitely be configurable.
>
> 6) If lock-on-disconnect is optional, how to configure? (me: Because the
> process we care about is running in a specific user session, configuration
> may be left to the user, and so possibly ~/.spice-vdagent.conf). Note:
> there are other options to spice-vdagent that I can't see how anyone would
> be able to control using configuration files.
>
> 7) Windows agent feature parity?
You can possibly invoke the fast user switch feature or session lock
feature which is (unlike xdg-screensaver) designed to be reasonably
secure. If you can achieve invoking it programmatically.
Thanks
Michal
More information about the Spice-devel
mailing list