On Thursday 14 February 2008 16:39:55 Michael A. Peters wrote:
Anne Wilson wrote:
In security terms, is there any difference between ending a session (logout of X) and locking a session?
Anne
If I understand what you are asking - yes. By lock session, you mean "Lock Screen" ??
If you just lock the session - your user is still the console use and has permission to write to certain device nodes. When you log out, your user gives up those permissions.
[mpeters@athens ~]$ ls -l /dev/ |grep mpeters |wc -l 29 [mpeters@athens ~]$
That's 29 device nodes that I have permission on because I am the console user. When I log out, they revert to default (typically root) ownership.
For example - lock your screen and ssh in from elsewhere - then run the eject command. The CD tray should shoot out (unless you have a slot loader ...)
Log out at the console and try it - it will fail:
[mpeters@athens ~]$ ssh jerusalem mpeters@jerusalem's password: Last login: Tue Feb 12 01:55:49 2008 from 192.168.15.100 [mpeters@jerusalem ~]$ eject eject: unable to open `/dev/hdc' [mpeters@jerusalem ~]$
There also are some userspace daemons that often start up when you are logged in (IE in gnome) that exit when you actually log out.
Thanks, Michael. Yes, this is the sort of info that I was looking for.
Of course a remote user would need to get my ssh passphrase to do anything, then again, to use the root password for most things. However, I guess that once again the biggest risk is physical access to the box, since running a different session would still be possible. That's only the same, though, as being logged out, I think.
Have I got the situation roughly right?
Anne