[CentOS] Lock session vs. End session

Anne Wilson cannewilson at googlemail.com
Thu Feb 14 16:52:24 UTC 2008


On Thursday 14 February 2008 16:39:55 Michael A. Peters wrote:
> Anne Wilson wrote:
> > In security terms, is there any difference between ending a session
> > (logout of X) and locking a session?
> >
> > Anne
>
> If I understand what you are asking - yes.
> By lock session, you mean "Lock Screen" ??
>
> If you just lock the session - your user is still the console use and
> has permission to write to certain device nodes. When you log out, your
> user gives up those permissions.
>
> [mpeters at athens ~]$ ls -l /dev/ |grep mpeters |wc -l
> 29
> [mpeters at athens ~]$
>
> That's 29 device nodes that I have permission on because I am the
> console user. When I log out, they revert to default (typically root)
> ownership.
>
> For example - lock your screen and ssh in from elsewhere - then run the
> eject command. The CD tray should shoot out (unless you have a slot
> loader ...)
>
> Log out at the console and try it - it will fail:
>
> [mpeters at athens ~]$ ssh jerusalem
> mpeters at jerusalem's password:
> Last login: Tue Feb 12 01:55:49 2008 from 192.168.15.100
> [mpeters at jerusalem ~]$ eject
> eject: unable to open `/dev/hdc'
> [mpeters at jerusalem ~]$
>
>
>
> There also are some userspace daemons that often start up when you are
> logged in (IE in gnome) that exit when you actually log out.
>
Thanks, Michael.  Yes, this is the sort of info that I was looking for.

Of course a remote user would need to get my ssh passphrase to do anything, 
then again, to use the root password for most things.  However, I guess that 
once again the biggest risk is physical access to the box, since running a 
different session would still be possible.  That's only the same, though, as 
being logged out, I think.

Have I got the situation roughly right?

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080214/f8927119/attachment.sig>


More information about the CentOS mailing list