On Thu, 02.06.16 18:00, Sam Varshavchik (mrsam(a)courier-mta.com) wrote:
If an unprivileged program, like tmux, or screen, or nohup, can do
whatever
dbus/ibus thingy it needs to do in order to elevate itself to a new
"session", and make arrangements to prevent itself from getting nuked from
high orbit by KillUserProcesses, then the same thing can obviously be done
by any other process. Like the same rogue spambot that's being discussed
here. The rogue spambout in question can simply talk to systemd itself, and
arrange for it not to be killed when the user logs out. Just like any other
process. There goes the added "security" we were hoping to achieve,
here.
Key here is that the life-cycle is enforced by privileged code, and
that this privileged code checks system policy (as in PolicyKit) when
deciding what to do. Yes, the default policy we ship is friendly, and
says that users can stick around if they want, via lingering, but key
here is that this policy check is done by privileged code, and stored
in privileged policy.
Lennart
--
Lennart Poettering, Red Hat