On Jun 1, 2016 7:29 AM, "Tomasz Torcz" <to...@pipebreaker.pl> wrote: > > On Wed, Jun 01, 2016 at 10:04:27AM -0400, Dan Book wrote: > > > > > > Again, this isn't just work-arounds around broken programs. It's a > > > security thing. It's privileged code (logind, PID 1) that enforces a > > > clear life-cycle on unprivileged programs. > > > > > > Any scheme that relies on unprivileged programs "being nice" doesn't > > > fix the inherent security problem: after logout a user should not be > > > able consume further runtime resources on the system, regardless if he > > > does that because of a bug or on purpose. > > > > > > Lennart > > > > > > That's your opinion, and while many sysadmins may share it, many will not. > > Having this as an optional security feature would be fantastic. Enforcing > > it by default on every user many of which use tmux, screen, nohup, and & to > > persist long running processes for daily work, is not something to do just > > because you think it is what people should do. > > Just a little perspective – this isn't a new option. KillUserProcesses functionality > seems to be added by > commit 202630822f52e06dce8404633407329c38099278 > Date: Mon May 23 23:55:06 2011 +0200 > > Five years ago, so basically from day one. We have this optional > security feature – fantastic! > Also, the concept of a ”session” isn't anything new, it's core UNIX > concept (setsid() enyone?) > > I think that programs needing special treatment should use operating > system's facilities to communicate that. So tmux, screen, nohup should > really open a new session. It's unfortunate that tmux author is hostile > against that, but maybe a clean, compile-time optional patch would persuade > him?
You lost me. Tmux almost certainly *already* uses setsid(). The author is hostile to adding a dbus dependency to tmux to tell systemd that it wants a new session. (I suspect that most terminal emulators also call setsid(), so this approach wouldn't actually work.) --Andy
-- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org