[Spice-devel] Brainstorming help with x11spice on socket permissions across users

Jeremy White jwhite at codeweavers.com
Tue May 26 16:15:45 UTC 2020 

On 5/26/20 10:44 AM, Frediano Ziglio wrote:
> I suppose you are talking about the unix socket for vdagent, right?

Right, but the same mechanism works well for adding audio for example 
(but you have pulseaudio write to a socket).

> 
>>
>> Hi all,
>>
>> I'm trying to get x11spice and spice-html5, at least as packaged for
>> Fedora, into a pretty much 'turn key' state.
>>
>> I've got 3 use cases.  The first is user A sharing their current
>> desktop, either for themselves, or to get help.  That case is largely
>> done, imho, modulo some documentation and perhaps some streamlining.
>> The second is user A getting access to a new session for themselves.  I
>> don't feel blocked on this case; the work should be straight forward, if
>> fiddly (I may regret those words; doing a secure 'su' like function out
>> of apache may be harder than I think).
>>
> 
> I would check for the 2nd case if the session is maintained in case you
> are using SystemD. I suppose the user could want to launch a background
> X11 session and disconnect from the system.

Yeah, good point.  In fact, gdm had a cool bug in stock Fedora 32 that 
was fixed by a recent update.  (If you logged in via xdmcp to any user 
other than the console user, the console switched to the new user).

> 
>> The 3rd case, however, has me troubled.  This is the case that user A
>> (potentially apache) starts x11spice which then does an xdmcp request to
>> gdm, and eventually supports a log in by user B.  This makes it
>> challenging to provide a way for user B to launch a spice agent or a
>> pulseaudio daemon and have it securely connect back to the spice process
>> started by user A.  The approach I've used in the past is to have a
>> privileged binary use information from an X atom to adjust socket
>> permissions.  But that feels unsatisfying, and it seems to me that this
>> is an area with a lot of modern thinking that I've largely missed.
>>
> 
> As far as I know in the normal (physical) case in case of XDMCP two X11
> sessions are involved and X11 client have to reconnect to another session.
> So for symmetry you should reconnect the client and have separate socket
> for vdagent. Sockets are associated (permission) to different users and
> processes are associated to same user.
> 
>> As an added complexity, in the ideal case, you have a vdagent running as
>> user A during the login process, which knows to reap itself and give way
>> to a vdagent launched by user B.
>>
>> I was hoping that others would have modern instincts on how to more
>> correctly implement the third use case.  Clue bats or other ideas welcome.
>>
>> Cheers,
>>
>> Jeremy
> 
> To be honest I don't remember last time I used XDMCP.

Yeah, the option I'm leaning towards is discarding that use case.  (And, 
tbh, the point of this exercise it is mostly to increase the overall 
usability; I don't really have a specific problem I'm trying to solve).

Cheers,

Jeremy

More information about the Spice-devel mailing list