new cg-manager gui tool for managin cgroups

Thu Jul 21 10:23:07 PDT 2011

On Thu, 2011-07-21 at 10:20 -0400, Jason Baron wrote: 
> Hi,
> 
> On Wed, Jul 20, 2011 at 10:28:32PM +0200, Lennart Poettering wrote:
> > On Wed, 20.07.11 15:20, Jason Baron (jbaron at redhat.com) wrote:
> > 
> > Heya,
> > 
> > > The memory and cpu share controllers are currently supported (I simply haven't
> > > gotten to supporting other controllers yet). One can add/delete cgroups, change
> > > configuration parameters, and see which processes are currently associated
> > > with each cgroup. There is also a 'usage' view, which displays graphically the
> > > real-time usage statistics. The cgroup configuration can then be saved
> > > into /etc/cgconfig.conf using the 'save' menubar button.
> > 
> > How does it write that file? Does the UI run as root? That's not really
> > desirable. It's not secure and it is cumbersome to mix applications
> > running as differnt users on the same session and one the same X
> > screen (since they cannot communicate with dbus, and so on).
> 
> Right, as Dan Walsh, mentioned I need to separate this into two parts -
> the front end UI and a backend communicating via DBUS. This is had been
> a todo item.

Note that in case the services that the backend provides for the GUI are
really powerful there is no real security benefit in separating the GUI
and backend. 

I am not sure that a cgroup manager would be such case though.

For example if the backend service is "interface to enable and configure
various network based authentication services" as it would be in case of
authconfig if it was split into GUI and backend, then you can easily
instruct the backend to authenticate against a network service that will
give you root user with no password. So we would have to trust the user
X session that is the authconfig frontend running in anyway.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb