Bug 9327

Summary: needs new policy for foreground console
Product: dbus Reporter: Martin Pitt <martin.pitt>
Component: coreAssignee: Havoc Pennington <hp>
Status: RESOLVED WONTFIX QA Contact: John (J5) Palmieri <johnp>
Severity: normal    
Priority: high    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
URL: https://launchpad.net/distros/ubuntu/+source/dbus/+bug/37181
Whiteboard:
i915 platform: i915 features:
Attachments: broken attempt to implement this

Description Martin Pitt 2006-12-13 04:39:46 UTC 
Currently, at_console="true" matches users on a physically local console, and
programs like gnome-volume-manager, gnome-power-manager etc. make heavy use of it.

While this is a good concept for things like avahi, where resources do not
compete on each other, it is not sufficient for nm-applet or
gnome-volume-manager, where concurrent access from multiple users do compete.

Therefore, in Ubuntu we added patches to gnome-volume-manager,
gnome-power-manager, etc. to not issue dbus calls if their console is not the
currently active one (on the foreground). Thus, if two people are logged into
the box (user switching), this avoids the race condition 'who will get ownership
of the plugged in USB stick' or 'inactive user's gpm issues a suspend, and the
active user gets totally surprised by that'.

However, checking for this in the particular apps is not only tedious, but also
wrong from a security perspective; the dbus calls will still work.

To solve this cleanly, I propose a new policy type at_console="foreground", or
foreground_console="yes", or similar.
Comment 1 Martin Pitt 2006-12-13 04:40:41 UTC 
Created attachment 8089 [details] [review]
broken attempt to implement this

In Ubuntu we experimented with a patch that uses libpam-foreground to
implement this policy (unfortunately we didn't rename the option, but
kept it as at_console, since by that time we did not have an use case
for upstream's semantics; now with avahi we do). Unfortunately it does
not work because dbus resolves the policy statically, so
changes of the foreground console are not respected. But maybe
it has some bits you can recycle.
Comment 2 John (J5) Palmieri 2007-10-09 12:56:28 UTC 
Upstream GNOME is working with PolicyKit to correctly resolve multi user policy.  I suspect we will deprecate at_console for this method of access control.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.