Re: [systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?
2014-11-11 20:56 GMT-02:00 Daniel J Walsh dwa...@redhat.com: The problems would be in having multiple users get access to the machine at the same time. For this you need something that generates a UID on the fly for the user. I would expect a fairly simple pam module could be done for this. One problem with this though would be a user might log in as guest user but endup getting the guest134 user account. This means you would want some kind of sssd interaction, so a user executing id or ls -lZ ~/ Would see all of his files and processes running as guest. This is more or less what LightDM currently does in its built-in guest account support. There's no user 'guest' previously created. Instead, login as guest is a special entry in LightDM. Whenever a user logs in as guest, a new temporary user is added with username 'guest-XX' (with XX replaced with a random character sequence) and GECOS Guest, and a temporary home folder is created. When guest user logs out, this temporary user is deleted along with its home folder. With this implementation, LightDM on-the-fly guest accounts are completely multi-seat compliant. The downside is that normal and guest users need to be treated differently in lightdm.conf. For example, there are distinct options for autologin as normal user and autologin as guest. -- *Laércio de Sousa* *Orientador de Informática* *Escola Municipal Professor Eulálio Gruppi* *Rua Ismael da Silva Mello, 559, Mogi Moderno* *Mogi das Cruzes - SPCEP 08717-390* Telefone: (11) 4726-8313 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?
It would be fairly easy to setup pam_namespace for the guest user to provide a temporary /tmp and ~/. Now, just like we do for xguest. Then you could setup the login account to use no password and the guest_u user and allow users onto the system. This would get you most of the things you want. The problems would be in having multiple users get access to the machine at the same time. For this you need something that generates a UID on the fly for the user. I would expect a fairly simple pam module could be done for this. One problem with this though would be a user might log in as guest user but endup getting the guest134 user account. This means you would want some kind of sssd interaction, so a user executing id or ls -lZ ~/ Would see all of his files and processes running as guest. Taking advantages of other namespaces to setup additional containment might also be interesting especially the pid namespace. On 11/10/2014 04:36 PM, Lennart Poettering wrote: On Mon, 10.11.14 16:41, Laércio de Sousa (laercioso...@sme-mogidascruzes.sp.gov.br) wrote: Hi there! Currently there are few alternatives for implementing guest accounts in Linux systems. I know only two: an AppArmor-based approach implemented in LightDM, and a SELinux-based approach implemented in Fedora's package xguest that works with GDM. There's no option for console guest login (should it be needed?). I was thinking if systemd-logind could handle itself guest accounts in the future, making it available for use by any display manager (and even console logins, who knows?). What do you think about it? I figure this pays into the whole concept of dynamic users, which we really want to have eventually, to deal with dynamic allocation of UIDs for user namespacing in container managers, for allocating per-seat users for gdm login screens, and then also for your usecase, i.e. to implement guest users that go away entirely on logout. So yeah, it's definitely something we want, and I figure it should be added to the systemd project in some way. Lennart ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?
Hi there! Currently there are few alternatives for implementing guest accounts in Linux systems. I know only two: an AppArmor-based approach implemented in LightDM, and a SELinux-based approach implemented in Fedora's package xguest that works with GDM. There's no option for console guest login (should it be needed?). I was thinking if systemd-logind could handle itself guest accounts in the future, making it available for use by any display manager (and even console logins, who knows?). What do you think about it? -- *Laércio de Sousa* *Orientador de Informática* *Escola Municipal Professor Eulálio Gruppi* *Rua Ismael da Silva Mello, 559, Mogi Moderno* *Mogi das Cruzes - SPCEP 08717-390* Telefone: (11) 4726-8313 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Should systemd-logind provide a DM-independent mechanism for handling guest accounts?
On Mon, 10.11.14 16:41, Laércio de Sousa (laercioso...@sme-mogidascruzes.sp.gov.br) wrote: Hi there! Currently there are few alternatives for implementing guest accounts in Linux systems. I know only two: an AppArmor-based approach implemented in LightDM, and a SELinux-based approach implemented in Fedora's package xguest that works with GDM. There's no option for console guest login (should it be needed?). I was thinking if systemd-logind could handle itself guest accounts in the future, making it available for use by any display manager (and even console logins, who knows?). What do you think about it? I figure this pays into the whole concept of dynamic users, which we really want to have eventually, to deal with dynamic allocation of UIDs for user namespacing in container managers, for allocating per-seat users for gdm login screens, and then also for your usecase, i.e. to implement guest users that go away entirely on logout. So yeah, it's definitely something we want, and I figure it should be added to the systemd project in some way. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
