[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shutdown from gnome logout dialog



On Tue, Sep 16, 2003 at 09:34:08AM +0200, Thomas Morin wrote:
> Selon Xavier Bestel <xavier.bestel@free.fr>:
>  | Le lun 15/09/2003 à 21:06, Thomas Morin a écrit :
>  | 
>  | > Here is the principle I propose :
>  | >   - at logout, gnome-session proposes the reboot and halt options to the
>  | user
>  | >   - if halt [or reboot] is chosen, a $HOME/.gdm-halt file [or
>  | .gdm-reboot]
>  | >     file is created
>  | >   - in the gdm PostSession script (which is run by gdm as root), the
>  | >     existence of those files is tested
>  | >   - if one of them exists and if the configuration allows, shutdown
>  | >     (or reboot) of the workstation is triggered
>  | 
>  | I see a problem with this approach: in the case of an NFS-mounted home
>  | directory, several bad things can happen (like root not being able to
>  | delete the user-owned .gdm-* files, or two computers rebooting when they
>  | mount the same NFS directory).
> 
> That's right.
> 
>  | Perhaps there should be a mean to
>  | communicate with a precise session only.
> 
> Well this wasn't meant to be a clean and definitive solution. As suggested
> by gdm maintainer (<jirka@5z.com>), the solution is to use the gdm socket
> created in /tmp, which is already use as a communication link between gdm and
> gdmflexiserver, and which uses the X MIT cookie as an authentication token.
> 
> But this is too late for Gnome 2.4, that's why I made this hack, which I
> wouldn't consider good enough for a multiserver/multiuser/multidisplay setup 
> (I would suggest a Debconf question about enabling it or not, suggesting NOT
> to use it in a multi(server|user|display) setup).
> 
> But I think the problem you highlight can be solved if we use /tmp instead of
> /home : securely create a subdir in /tmp ( /tmp/.$USER-ask-gdm/ ) and put the
> halt or reboot files in this dir. I think we can assume /tmp isn't shared by
> two servers right ? This (I think) solves the problem of risking shutting down
> more than one server.
> 
> Another problem that might occur : halt file is created from one session
> logout, another session (same user, same server) logs out, and server is shot
> down by the second session gdm, and not by the first. 
> This can happen if:
>  1 - user creates the halt file without logging out  
>      => "user error"
>  2 - halt file is created but the session is not closed (gnome-session 
>    bug or interruption by a dialog about a soft that's not session 
>    managed etc.)
>      => not very likely to happen IMHO
>  3 - race condition between the two logouts 
>      => the server will be shutdown anyway
> 
> To avoid the problem, we can include the DISPLAY in the subdir name.
> 
> What would you think about those improvements ?
> Do they solve the problems for you ?

I still think using a magic number in the file would be helpfull to
avoid any chance of accidental shutdown, especially as /tmp is mostly
world writeable. I think the magic number scheme is used in other cases
too (well at least it is in my graphic card) altough maybe they would
need modification to gdm that are also too heavy (how do you manage both
gdm and gnome-session to have the same magic number).

Friendly,

Sven Luther



Reply to: