[systemd-devel] Fix PAM module to not clobber XDG_RUNTIME_DIR with su
Tollef Fog Heen
tfheen at err.no
Wed Nov 20 22:06:25 PST 2013
]] Lennart Poettering
> Well, that's quite arbitrary. What about dbus, X11, and so on, do you
> plan to turn that off for the new session too?
Yes, please.
In the following, I'm talking about «su -» not plain «su», which I think
should go away since the semantics are woolen.
> su is a hack, it is not clear what credentials it changes and which ones
> it doesn't. It's entirely random what people think su should do, and
> it's a security nightmare, as nobody knows the environment programs run
> in anymore, there's no chance to get this done correctly.
I don't see it as any more arbitrary than login or ssh. (ssh can
transfer a bunch of credentials just fine, think Kerberos GSSAPI
delegation or agent forwarding.) That we're not tracking loginuid
across the network is just a limitation of the tools, there's nothing
inherent which says that we should stop at a host boundary. Older,
weaker protocols exist for tracking that, such as ident.
> Quit frankly, I am pretty sure the best approach is to simply prohibit
> running graphical applications from su sessions, it's never going to
> work. Letting other user access some (but not all) of a private user's
> bits and pieces is never going to work if those bits and pieces are
> nowadays a mix of dconf, X11, PA, dbus, security creds, keyrings, yadda
> yada...
If you want to run graphical applications through su, you need to do
xhost +SI:localuser:$newuser and set DISPLAY correctly. That's fine,
and I think requiring people to do so is fine.
> > Until then I recommend applying this patch (or something equivalent)
> > which at least stops destroying existing runtime dirs and makes it
> > compliant to the spec [4]. With that, things like pulse, dconf, or
> > dbus will still need to keep their internal fallback if there is no
> > runtime dir, but that's a less pressing matter.
>
> So, what's the intention here? That XDG_RUNTIME_DIR is entirely unset
> after "su"? That sounds kinda acceptable to me.
Either unset or set to the new user's XDG_RUNTIME_DIR. The main point
is «it should not be wrong» (which it is today). If we can make it
point somewhere sensible that's a bonus, but not required.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
More information about the systemd-devel
mailing list