Aaron Zang wrote:
> Jeremy Harris wrote:
>> Aaron Zang wrote:
>>> If a person is ever allowed to access the local console, he/she 
>>> should be trusted  to behave properly.
>>> Virtual consoles could solve by some degree the situation that a 
>>> person *accidentally*  locked  several
>>> of the available virtual consoles, the system administrator could 
>>> login via one of the rest of the available
>>> consoles and deal with the mess. But if all the available virtual 
>>> consoles are locked out, what should be
>>> blamed is the management of physical access to the local consoles.
>>
>> All very reasonable for a server-class system.  Totally useless for a
>> single-monitor, single keyboard system in a student environment.
>>
>
> While in a student environment, it's almost safe to say nothing 
> important (business/money related)
> service is running on that system, so the system admin  could even 
> hammer the  system to  get it back.
>
Except for all the jobs of students logged in from home or the dorms 
through the network, or the long running grad student jobs, that are 
also running on the machine. They may not be directly Bussiness/Money 
related, but if the lab proctors (who aren't usually system admins) have 
to power cycle ot L1-A the machine to unlock the console, then you're 
going to end up with a bunch of pissed off students who lose work, and 
eventually some of those will be upset enough to transfer to another school.
> The locked system situation is not first introduced by virtual 
> console, and it's by the nature of locking
> screen on a workstation.
But all the other methods of locking the screen allow an administrator 
to override that lock.

I agree with you about the audit context, and the ability of whoe ever 
unlocked the screen to act as whoever left themsleves logged in.

I think if it were linked to a privlege (role? profile? authorization?) 
instead of 'root' that garrets suggestion would probably be best. Then 
the sysadmin could give the lab proctor accounts this ability, and a 
utility to clean out the processes on the consoles.

Of course another alternative would be something like 'screen' where 
virtually an unlimited number of virtual conosle could continue to be 
created, leaving the locked ones and the processes running.

   -Kyle

>
> -- aaron


Reply via email to