| |||||||||||||
revoke()revoke()Posted Jan 28, 2010 16:43 UTC (Thu) by chrish (subscriber, #351)Parent article: LCA: Graphics driver ponies
"One other audience member asked about running X without root privileges: that does work now, and Moblin is doing it. There are some problems remaining, though, especially with fast user switching. In the absence of a revoke() system call, there's no way to guarantee that one user isn't listening in on another." Could someone expdand on the part in bold and describe in more detail what the problem is? Why would fast user switching cause a single fd to be allocated to processes belonging to different users?
(Log in to post comments)
revoke() Posted Jan 28, 2010 17:59 UTC (Thu) by wingo (subscriber, #26929) [Link]
I don't know, but I'll hazard a guess: the input and output devices of an X session are file descriptors, and have to be handed to and from the display manager and different userspace, and there's nothing preventing one user from keeping a dupped copy of one of the devices.
At least this comment should provoke someone knowledgeable to correct me :)
revoke() Posted Feb 1, 2010 0:05 UTC (Mon) by whot (subscriber, #50317) [Link]
The evdev input driver opens /dev/input/eventX file descriptors. The same fd can be opened by another process allowing this process to read events coming from the devices. Currently, you need to be root to open the devices.
If the fd of a keyboard can be opened by a user, this user is able to read keyboard events. Example scenario:
Unless any process by user A can be suspended or revoked access to the fd, this process can sniff keyboard events from user B.
|
|||||||||||||