From: "Михаил Новоселов" <m.novosyolov@rosalinux.ru> To: Alexey Gladkov <gladkov.alexey@gmail.com> Cc: Linux console tools development discussion <kbd@lists.altlinux.org> Subject: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session Date: Sun, 23 Aug 2020 20:47:47 +0300 (MSK) Message-ID: <2000734695.381923.1598204867403.JavaMail.zimbra@rosalinux.ru> (raw) In-Reply-To: <20200810111621.2cx5xvbethx7s6pt@comp-core-i7-2640m-0182e6> ----- Исходное сообщение ----- > От: "Alexey Gladkov" <gladkov.alexey@gmail.com> > Кому: "Михаил Новоселов" <m.novosyolov@rosalinux.ru> > Копия: "Linux console tools development discussion" <kbd@lists.altlinux.org>, "Dmitry V. Levin" <ldv@altlinux.org> > Отправленные: Понедельник, 10 Август 2020 г 14:16:21 > Тема: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session > On Sun, Aug 09, 2020 at 11:50:07PM +0300, Mikhail Novosyolov wrote: >> > >> >I don't like the idea of implicitly changing the user through >> >environment >> >variables. >> >> I also don't like it, but don't see much difference with setting >> LOGNAME=vasya before running vlock and then being unable to unlock the >> console without root due to fallback to uid=0... > > Now the LOGNAME is essentially not used. The vlock calls getpwnam and if > the pw_uid does not match with current uid, vlock calls getpwuid. > Checking the uid protects against incorrect LOGNAME. > > Your patch removes uid check and forces vlock to always use environment > variables. Now an incorrect LOGNAME cannot change the behavior of vlock, > but with your patch it will. I probably confused something and thought that vlock fallbacks to root user, not the current user. Fallback to the current user is good behavior. > >> > SUDO_USER can be exposed accidentally or leak into the >> >environment due to an error. In this case, you will lock the console >> >without being able to unlock. >> > >> >Also, your patch will not allow you to block the console by another >> >user >> >or by root. >> >> What do you mean? > > If I want to block the console with a root password, then I can do: > > $ sudo vlock Sounds reasonable, I don't know how to find out if vlock was run like this or not. Actually I do not have much interest in implementing this, because neither me, nor any people that I know ever used vlock, so let's leave this problem for future. Thanks for review!
prev parent reply other threads:[~2020-08-23 17:47 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-01 13:19 Mikhail Novosyolov 2020-08-09 16:08 ` Alexey Gladkov 2020-08-09 20:50 ` Mikhail Novosyolov 2020-08-10 11:16 ` Alexey Gladkov 2020-08-23 17:47 ` Михаил Новоселов [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=2000734695.381923.1598204867403.JavaMail.zimbra@rosalinux.ru \ --to=m.novosyolov@rosalinux.ru \ --cc=gladkov.alexey@gmail.com \ --cc=kbd@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux console tools development discussion This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/kbd/0 kbd/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 kbd kbd/ http://lore.altlinux.org/kbd \ kbd@lists.altlinux.org kbd@lists.altlinux.ru kbd@lists.altlinux.com public-inbox-index kbd Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.kbd AGPL code for this site: git clone https://public-inbox.org/public-inbox.git