[sugar] Shared Terminal Idea

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Mon May 12 13:25:05 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think shared Terminal would be very cool.  A lot of other people seem to
think so too.  It would be a fun way to learn command-line stuff, by
sharing a prompt with a remote friend.

This is not quite the same thing as standard SSH, which allows someone
else to start a new terminal on someone else's computer.  In this case, we
want outsiders to be able to _join_ a Terminal session on someone else's
computer.

We can imagine two ways of "sharing" Terminal: read-only and read-write.
Read-only means that joiners can only view the proceedings, not
participate in them.  Read-write means that anyone can type on the same
command-line.  I am concerned here primarily with the read-write case, as
it seems more general and more instructional.

The biggest problem with read-write shared Terminal is security.  The
remote participant gains the full privileges of the local participant.
Currently, anyone can type in Terminal has root access to the machine.
However, this is not necessary.  For example, even with the current
Rainbow implementation, we can create a new Activity called "SafeTerminal"
that runs as an unprivileged user, with all the implied protections.

One way to implement such a SafeTerminal with sharing is to use sshd and
screen, as noted in (http://www.linux.com/articles/56443).  The activity
can start an instance of screen when it launches.  When it is shared, it
can start an sshd (running as the unprivileged user).  Joining instances
can log in to the sshd and automatically connect to the shared session of
screen.

Details:
Q: How do we make the shared sshd available only to invited members?
A: We might be able to do this using Telepathy's Stream Tubes.  We would
have to set up an IPv4 stream-tube on each side with access restricted to
localhost.  The server would do sshd -p [server_port], and the client
would do ssh -p [client_port] localhost.

Q: How do we run multiple independent shared instances of SafeTerminal
without having port collisions?
A: This is a problem for any Activity that wants to use a TCP port.  There
are only so many ports, and there is a possibility of collisions if
Activities choose ports independently.  Vserver would have solved this
problem.  An ideal solution would be to use UNIX sockets instead of IPv4
sockets, but I do not know of any way to make ssh use a UNIX socket.  The
best possible solution may be for Sugar to provide a port assignment
service from which Activities request ports.

Q: What if the user has disabled Rainbow protections, either entirely or
just for this Activity?
A: It's possible that SafeTerminal should refuse to share if it detects
that it is running with "too much privilege".  On the other hand,
SafeTerminal running with sudo privileges would be a great way to allow a
trusted friend to help me fix my system.

Once we are clear on the details, I do not think it will be very difficult
to implement a safe shared Terminal.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIKH1xUJT6e6HFtqQRApgRAKCSKq8DTcZnI2svVjkUQk77AiY5zwCggf5N
uzK1ravXV9MCKk4q1DfCENI=
=k0xV
-----END PGP SIGNATURE-----


More information about the Sugar mailing list