[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-devel] Suspend functionality for Entrance



On Fri, 25 Aug 2006 00:01:20 -0500 "Nathan Ingersoll" <ningerso@gmail.com>
babbled:

> On 8/24/06, The Rasterman Carsten Haitzler <raster@rasterman.com> wrote:
> >
> > simply parse that 1 liner - look for the (...something...) and if that
> > starts with localhost, :, 127.0.0.1, then we know the user is logged in
> > locally or from locally and we can approve the action.
> >
> > now - back to if it should be in ecore - no, as entrance doesn't need this
> > convoluted check system - just exec a command. only e needs it.
> 
> I don't think this is a good way to determine access to privileged
> commands, even a subset. Just a couple examples of why this is bad:
> 
> 1. Thin clients - A user connected on a thin client system can look
> like a local user, depending on the thin client technology used (VNC
> with a local X server, SunRay's, etc).

i think these users SHOULD appear as remotesystem:0 (where remotesystem is a
name or ip).

> 2. Public access terminal - A system for public access such as in a
> lab or cafe. For instance, a local bagel shop in my area has  a
> stripped down debian box with mozilla and a terrible minimalistic
> window manager available to customers.

oh sure - but these thigs i would simply advocate removing the suid bit :)

> While you could argue that both of these circumstances should require
> the administrator to customize the E install, I think that is putting
> too much faith in how much they will review the installed files.

right now its worse - there is no level of checking... :)

> This may be solved better through the use of PAM hooks. FC5 has
> /etc/pam.d/halt that limits shutdown to root or console users. I don't
> see anything similar in debian unstable atm, but I may have missed it.

that makes sense. i guess as i'm on debian i didn't see such a thing :) that
makes sense - but we also want to work out of the box too.

i think that maybe we need several layers.

1. check pam as you suggested IF the halt/reboot/susbped/cpufreq pam profile is
there - if not go to second step
2. check if user is logged in on the console
3. check for a magic file (/etc/enlightenment/nohalt as a quick example) - if
it exists - deny halt or reboot or whatever (we can work out the filenames
later)

?


> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> enlightenment-devel mailing list
> enlightenment-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
> 


-- 
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler)    raster@rasterman.com
裸好多
Tokyo, Japan (東京 日本)