On Wed, 2011-06-22 at 15:39 -0400, Jasper St. Pierre wrote: > > > 2. Multiple users or sessions on the same machine > > Only the first session can use it. > > My idea was that log-out would stop the HTTP daemon for that session > and open one for the current user. Unless there's a special case (I > didn't think of virt) where two users can be securely both actively > having GNOME sessions at the same time, I don't think this is a > problem. I don't know the exact details but what come to my mind - multiple seats setups would have multiple session running - If user A is working and (s)he left computer by clicking 'switch user' the programs should continue to run in the background as if nothing happened. However user B can log into at the same time. I belive that after user switch the illusion of continuity is preserved (i.e. windows can be opened/closed, d-bus works) so it would be surprising to disallow contacting HTTP daemon > The only security issue I can think of that arises out of > this compromise is that a user could ssh in to the same machine and > frob the HTTP server to... install, enable/disable and list extensions > from the official GNOME3 site. Which may prove to be a vector of attack if computer is shared and the exploit is discovered and not yet marked as such on site. Regards
Attachment:
signature.asc
Description: This is a digitally signed message part