[sabayon] Moving the monitor out of the session

From: Mark McLoughlin <markmc redhat com>
To: sabayon-list gnome org
Subject: [sabayon] Moving the monitor out of the session
Date: Mon, 13 Jun 2005 12:36:35 +0100
Hey,
	In:

  http://bugzilla.gnome.org/show_bug.cgi?id=305871

	I came to the conclusion that we should change things around such that
the prototype session should run embedded in the same window as the
monitor output. So, you could imagine the menu bar at the top of the
window, the prototype session in the middle and the monitor output in a
pane at the bottom.

	I've already done the first part - the prototype session is now
embedded in a window controlled by Sabayon - and now I want to move the
monitor output out of the window running inside the prototype session
into the window which contains the prototype session.

	As background:

 - the prototype session runs as the "sabayon-admin" user

 - the monitor needs to be able to monitor that user's home directory 
   and also connect to the user's gconfd

 - the profiles and users.xml are stored in /etc (owned by root atm) and
   we need to be able to edit them

	What we currently do is:

 - The "sabayon" program runs as root; when you click "Edit" it starts 
   a prototype session

 - We open a gtk window and run Xnest, telling it to draw inside our 
   gtk window

 - We run a GNOME session as the sabayon-admin user, asking it to 
   display itself on the embedded Xnest

 - We copy the profile to a temporary directory, change its permissions 
   so sabayon-admin can edit it and run "sabayon-monitor" as the 
   sabayon-admin user

 - sabayon-monitor watches for configuration changes, displays them and 
   if you save them, it writes the changes to the temporary profile

 - when you quit, sabayon copies the modified profile back to /etc


	Given that the code monitoring the prototype session for configuration
changes needs to be run as the sabayon-admin user, I think we've two
options for moving the monitor window out of the session:

  1) Make the window which pops up when you click "Edit" run as the 
     sabayon-admin user. In order to do that we'd need to split the 
     protosession code to work like:
       - as root we find a free X display number, write out temporary 
         xauth files for Xnest and the session, change the ownership of 
         those files and create a temporary homedir for the session
       - we'd then copy the profile to a temporary location and change 
         the owner to sabayon-admin
       - next we'd launch sabayon-session with all that information 
         (display number, xauth filenames, temporary homedir, profile 
         filename) in the command line
       - sabayon-session would then open a gtk window, run Xnest, start 
         a session and start monitoring the session
       - changes would be saved to the temporary profile; when 
         sabayon-session exits, sabayon copies the profile back again

     What's nice about this:
       - much less code runs as root; always good from a security 
         perspective

     What's bad:
       - we still have the temporary-copy-of-the-profile hack
       - there'd be a huge amount of loosely defined dependancies 
         between the two programs; its certainly not a clean interface
       - this is going to make monitoring even harder to debug since 
         you now have this complicated command-line and lots of setup 
         work to be done before launching it


  2) Make the monitoring process not display a window at all, but 
     instead send any "changed" events back to sabayon, possibly by 
     spewing some XML for each change on stdout. Sabayon would read 
     this XML description of the changes, display it and save the 
     changes directly to the profile when asked.

     What's nice about this:
       - No temporary-copy-of-the-profile hack
       - Very clean interface between sabayon and the monitoring 
         program 
       - Monitoring would be much easier to debug - all it does is 
         monitor the current session and spew changes to stdout
       - We could even make it easier to debug the modifying of 
         profiles by just piping some pre-saved changes spew to sabayon

     What's bad about this:
       - Lots of code running as root here


	So, before I started writing this mail I'd assumed that the second
option made more sense, but I'm not so sure now. The "lots of code
running as root" is what we really have to think about, I guess. My
feeling is that if we have a sane way of making all this code run as a
non-priveledged user, then it probably makes sense to do that ...

	Thoughts?

Cheers,
Mark.
Follow-Ups:
- Re: [sabayon] Moving the monitor out of the session
  - From: Mark McLoughlin
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]