[systemd-bugs] [Bug 80070] New: systemd-logind: allow "loginctl kill-session" for user's own session
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Jun 15 15:53:05 PDT 2014
https://bugs.freedesktop.org/show_bug.cgi?id=80070
Priority: medium
Bug ID: 80070
Keywords: security
Assignee: systemd-bugs at lists.freedesktop.org
Summary: systemd-logind: allow "loginctl kill-session" for
user's own session
QA Contact: systemd-bugs at lists.freedesktop.org
Severity: normal
Classification: Unclassified
OS: All
Reporter: quequotion at mailinator.com
Hardware: Other
Status: NEW
Version: unspecified
Component: general
Product: systemd
Currently SUID is required to kill-session.
This prevents users (without sudo access) from using loginctl to log out of
their own session.
This would be useful for users who don't have a third party session manager or
have a broken session manager and need a "clean" means of logging out.
By "clean" I mean a way that ends a specific session, such as their currently
logged in session, without affecting other sessions (owned by themselves or
other users).
I don't think it's necessary to require SUID for this function. Users aren't
allowed to kill processes that don't belong to them anyway, so it follows that
a user would only be able to kill their own session(s). Perhaps this could be
acheived with polkit?
Besides, users (with polkit) already have acess to systemctl shutdown, reboot,
hibernate, and suspend; loginctl kill-session seems less serious.
+1: if kill-session can be allowed to users to end their own sessions, how
about kill-user for users to end themselves?
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140615/a5b30bf4/attachment.html>
More information about the systemd-bugs
mailing list