[kbd] [PATCH] vlock: allow sudo user to unlock his session

[Михаил Новоселов]

----- Исходное сообщение -----
> От: "Alexey Gladkov" <gladkov.alexey at gmail.com>
> Кому: "Михаил Новоселов" <m.novosyolov at rosalinux.ru>
> Копия: "Linux console tools development discussion" <kbd at lists.altlinux.org>, "Dmitry V. Levin" <ldv at altlinux.org>
> Отправленные: Понедельник, 10 Август 2020 г 14:16:21
> Тема: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session

> On Sun, Aug 09, 2020 at 11:50:07PM +0300, Mikhail Novosyolov wrote:
>> >
>> >I don't like the idea of implicitly changing the user through
>> >environment
>> >variables.
>> 
>> I also don't like it, but don't see much difference with setting
>> LOGNAME=vasya before running vlock and then being unable to unlock the
>> console without root due to fallback to uid=0...
> 
> Now the LOGNAME is essentially not used. The vlock calls getpwnam and if
> the pw_uid does not match with current uid, vlock calls getpwuid.
> Checking the uid protects against incorrect LOGNAME.
> 
> Your patch removes uid check and forces vlock to always use environment
> variables. Now an incorrect LOGNAME cannot change the behavior of vlock,
> but with your patch it will.

I probably confused something and thought that vlock fallbacks to root user, not the current user.
Fallback to the current user is good behavior.

> 
>> > SUDO_USER can be exposed accidentally or leak into the
>> >environment due to an error. In this case, you will lock the console
>> >without being able to unlock.
>> >
>> >Also, your patch will not allow you to block the console by another
>> >user
>> >or by root.
>> 
>> What do you mean?
> 
> If I want to block the console with a root password, then I can do:
> 
> $ sudo vlock

Sounds reasonable, I don't know how to find out if vlock was run like this or not.

Actually I do not have much interest in implementing this, because neither me,
nor any people that I know ever used vlock, so let's leave this problem for future.
Thanks for review!