Linux console tools development discussion
 help / color / mirror / Atom feed
From: "Михаил Новоселов" <>
To: Alexey Gladkov <>
Cc: Linux console tools development discussion <>
Subject: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session
Date: Sun, 23 Aug 2020 20:47:47 +0300 (MSK)
Message-ID: <> (raw)
In-Reply-To: <20200810111621.2cx5xvbethx7s6pt@comp-core-i7-2640m-0182e6>

----- Исходное сообщение -----
> От: "Alexey Gladkov" <>
> Кому: "Михаил Новоселов" <>
> Копия: "Linux console tools development discussion" <>, "Dmitry V. Levin" <>
> Отправленные: Понедельник, 10 Август 2020 г 14:16:21
> Тема: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session

> On Sun, Aug 09, 2020 at 11:50:07PM +0300, Mikhail Novosyolov wrote:
>> >
>> >I don't like the idea of implicitly changing the user through
>> >environment
>> >variables.
>> I also don't like it, but don't see much difference with setting
>> LOGNAME=vasya before running vlock and then being unable to unlock the
>> console without root due to fallback to uid=0...
> Now the LOGNAME is essentially not used. The vlock calls getpwnam and if
> the pw_uid does not match with current uid, vlock calls getpwuid.
> Checking the uid protects against incorrect LOGNAME.
> Your patch removes uid check and forces vlock to always use environment
> variables. Now an incorrect LOGNAME cannot change the behavior of vlock,
> but with your patch it will.

I probably confused something and thought that vlock fallbacks to root user, not the current user.
Fallback to the current user is good behavior.

>> > SUDO_USER can be exposed accidentally or leak into the
>> >environment due to an error. In this case, you will lock the console
>> >without being able to unlock.
>> >
>> >Also, your patch will not allow you to block the console by another
>> >user
>> >or by root.
>> What do you mean?
> If I want to block the console with a root password, then I can do:
> $ sudo vlock

Sounds reasonable, I don't know how to find out if vlock was run like this or not.

Actually I do not have much interest in implementing this, because neither me,
nor any people that I know ever used vlock, so let's leave this problem for future.
Thanks for review!

      reply	other threads:[~2020-08-23 17:47 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-01 13:19 Mikhail Novosyolov
2020-08-09 16:08 ` Alexey Gladkov
2020-08-09 20:50   ` Mikhail Novosyolov
2020-08-10 11:16     ` Alexey Gladkov
2020-08-23 17:47       ` Михаил Новоселов [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux console tools development discussion

This inbox may be cloned and mirrored by anyone:

	git clone --mirror kbd/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kbd kbd/ \
	public-inbox-index kbd

Example config snippet for mirrors.
Newsgroup available over NNTP:

AGPL code for this site: git clone