[systemd-devel] The whole su/pkexec session debate
Lennart Poettering
lennart at poettering.net
Tue Dec 10 18:15:28 PST 2013
On Sun, 01.12.13 16:57, David Herrmann (dh.herrmann at gmail.com) wrote:
>
> Hi
>
> >>> But in the case of screen I'm specifically asking for a new, stand alone
> >>> session.
> >>
> >> I'd agree; but the fix would be fairly invasive for screen. I think
> >> it'd have to become setuid root, so it could request a new session.
> >
> > Yeah that was my fear too.
> >
> > Although perhaps this is just something that can be done via policy -
> > e.g. perhaps screen can just ask logind to create a new session for us
> > and then running some specific shell therein (i.e. a
> > screen@$newsid.service) then immediately attaching to it.
> >
> > Perhaps this just needs something to control whether or not it's allowed
> > to ask logind for a shell. This can perhaps be something controlled by
> > system policy - e.g. you may be allowed but have to enter your password
> > again, or you may just be allowed without further auth.
> >
> > I think eventually the semantics could be quite nice and could
> > potentially avoid the need for setuid but I don't really know the extent
> > of the needed infra here.
>
> Screen can be fixed to call:
> pam_start(&pamh)
> pam_open_session(pamh)
>
> and during shutdown:
> pam_close_session(pamh)
> pam_end(pamh)
Actually it's more complicated. It would have to be privileged and fork
once in the middle. And by default it pam_systemd would just make it a
member of the original session again, hence to no effect.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list