From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru BCF3DD3FEB8F9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=A1AAD92A-9767-11E6-A27F-AC75C9F78EF4; t=1598204867; bh=xNVhEW0aj1dy8m32WL7Vik5piOS2ethovUcdPbajj0A=; h=Date:From:To:Message-ID:MIME-Version; b=GrC+aoSlYXe5kFGf+KG37UypDp3gW0vmxpfdvBhDlOayHlVY0AbX+c11yPPxfxfIS sFiAn6BN0DbGqdt1sHLGHwLWtxZgYqlJtgMGQExwvmR824qXXrdey6XRzfytShMBeD fVJzswoiwrR0EIwvcJemIcN2FODFgzGY5LHowna8vpvwiAJbHJh5jEp3QSrOdxIzbl 9UwYnP+1V9Vth8u8T+g+RZ2IvjXzZtfBgO5c2DBe3QJ3uYl087ji28NJY9Uops70Bu 5zqU2sOChs6GehkM6f7HfCAeOE8WnpRUFJBEWa1xkfzCqCfcHdyPJf4m0dOuXaMiLW OitEQ9FaFBHnQ== X-Virus-Scanned: amavisd-new at rosalinux.ru Date: Sun, 23 Aug 2020 20:47:47 +0300 (MSK) From: =?utf-8?B?0JzQuNGF0LDQuNC7INCd0L7QstC+0YHQtdC70L7Qsg==?= To: Alexey Gladkov Message-ID: <2000734695.381923.1598204867403.JavaMail.zimbra@rosalinux.ru> In-Reply-To: <20200810111621.2cx5xvbethx7s6pt@comp-core-i7-2640m-0182e6> References: <019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru> <20200809160847.dm5pi6jycm3x767q@comp-core-i7-2640m-0182e6> <3F10EDD9-6CBE-4E6E-AD4F-9260C6856C4A@rosalinux.ru> <20200810111621.2cx5xvbethx7s6pt@comp-core-i7-2640m-0182e6> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailer: Zimbra 8.8.12_GA_3803 (ZimbraWebClient - GC84 (Linux)/8.8.12_GA_3794) Thread-Topic: vlock: allow sudo user to unlock his session Thread-Index: Xtpjxg6ZuNPCDSjNTUG9lW3iAFatFw== X-Mailman-Approved-At: Sun, 23 Aug 2020 21:29:40 +0300 Cc: Linux console tools development discussion Subject: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session X-BeenThere: kbd@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Linux console tools development discussion List-Id: Linux console tools development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2020 17:47:51 -0000 Archived-At: List-Archive: ----- =D0=98=D1=81=D1=85=D0=BE=D0=B4=D0=BD=D0=BE=D0=B5 =D1=81=D0=BE=D0=BE= =D0=B1=D1=89=D0=B5=D0=BD=D0=B8=D0=B5 ----- > =D0=9E=D1=82: "Alexey Gladkov" > =D0=9A=D0=BE=D0=BC=D1=83: "=D0=9C=D0=B8=D1=85=D0=B0=D0=B8=D0=BB =D0=9D=D0= =BE=D0=B2=D0=BE=D1=81=D0=B5=D0=BB=D0=BE=D0=B2" > =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: "Linux console tools development discussi= on" , "Dmitry V. Levin" > =D0=9E=D1=82=D0=BF=D1=80=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=BD=D1=8B=D0=B5:= =D0=9F=D0=BE=D0=BD=D0=B5=D0=B4=D0=B5=D0=BB=D1=8C=D0=BD=D0=B8=D0=BA, 10 =D0= =90=D0=B2=D0=B3=D1=83=D1=81=D1=82 2020 =D0=B3 14:16:21 > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [kbd] [PATCH] vlock: allow sudo user to unl= ock his session > On Sun, Aug 09, 2020 at 11:50:07PM +0300, Mikhail Novosyolov wrote: >> > >> >I don't like the idea of implicitly changing the user through >> >environment >> >variables. >>=20 >> I also don't like it, but don't see much difference with setting >> LOGNAME=3Dvasya before running vlock and then being unable to unlock the >> console without root due to fallback to uid=3D0... >=20 > Now the LOGNAME is essentially not used. The vlock calls getpwnam and if > the pw_uid does not match with current uid, vlock calls getpwuid. > Checking the uid protects against incorrect LOGNAME. >=20 > Your patch removes uid check and forces vlock to always use environment > variables. Now an incorrect LOGNAME cannot change the behavior of vlock, > but with your patch it will. I probably confused something and thought that vlock fallbacks to root user= , not the current user. Fallback to the current user is good behavior. >=20 >> > SUDO_USER can be exposed accidentally or leak into the >> >environment due to an error. In this case, you will lock the console >> >without being able to unlock. >> > >> >Also, your patch will not allow you to block the console by another >> >user >> >or by root. >>=20 >> What do you mean? >=20 > If I want to block the console with a root password, then I can do: >=20 > $ sudo vlock Sounds reasonable, I don't know how to find out if vlock was run like this = or not. Actually I do not have much interest in implementing this, because neither = me, nor any people that I know ever used vlock, so let's leave this problem for= future. Thanks for review!