Chrome Remote Desktop unattended access fails on macOS multi-user computers
Reported by
cmcfarli...@gmail.com,
May 6 2017
|
|||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Login to macOS computer as UserA 2. Enable Remote Connections for CRD 3. Note that remoting_me2me_host process is running 4. From separate computer verify that macOS computer shows up as accessible under My Computers in CRD 5. Log out of macOS 6. Note that remoting_me2me_host process is no longer running 7. Login to macOS computer as UserB 8. Note that remoting_me2me_host process never starts 9. From separate computer note that macOS computer is greyed out under My Computers in CRD and is not accessible What is the expected behavior? The expected behavior should be how CRD behaves on Windows. Once remote connections are enabled on a Windows computer it doesn't matter who is logged in or if anyone is logged in at all. From a remote CRD session you can log out of a Windows session and log in as another user while maintaining the CRD session the whole time. In contrast, when connecting to a macOS (OS X) computer via CRD, the connection can be established only if the user who enabled remote connections is logged in. If UserA installs CRD on a macOS computer and enables remote connections then the remoting_me2me_host daemon will run as long as User A is logged in. As soon as UserA logs out the remoting_me2me_host process is killed. If UserB then logs in the remoting_me2me_host daemon does not start up again. Not exactly unattended access. Once CRD is installed and remote connections are enabled, establishing a remote session should be available regardless of who is logged in or if no one is logged in. What went wrong? I've been using CRD for a couple of years with dozens of installs on Windows and Macs. Unattended access has never worked correctly on macOS (OS X). In a nutshell if unattended access work on macOS the same way it works on Windows then everything would be swell. Did this work before? No Chrome version: 58.0.3029.96 Channel: n/a OS Version: 10.12.4 Flash Version:
,
May 8 2017
After more testing this appears to be caused by the CRD config file not being readable by any users other than the user who initially enable remote connections. When UserB logs into macOS the following entry is logged in the system log: May 7 23:33:00 macbook07 remoting_me2me_host[2516]: Failed to read '/Library/PrivilegedHelperTools/org.chromium.chromoting.json': Permission denied Viewing permissions on that file shows: bash-3.2# ls -le org.chromium.chromoting.json -rw-------+ 1 root wheel 2012 May 6 00:08 org.chromium.chromoting.json 0: user:admin allow read So only root and admin can read the config file. Doing a chmod +a "UserB allow read" org.chromium.chromoting.json appears to resolve the issue, but brings up the question of why does it work this way? It seems the devs are assuming that unattended access should be available only when the user who enabled remote connections is logged in (or when the login screen is up).
,
May 9 2017
The issue seems to be out of TE-scope. Hence, adding the label TE-NeedsTriageHelp for further investigation. Thanks...!!
,
May 9 2017
The way the system is architected on Mac means that a new host process starts up for each local user session, but only the login screen (root) and the person who started that host are ACL'd to be able to read the config file. When the host starts up for other users, it will quit because it can't read the config file. Multi-user scenarios like the one you describe are not supported, although that's largely for pragmatic reasons rather than by design.
,
May 9 2017
On Windows the chromoting process runs as a service and is therefore always running regardless of who logs in. This is the logical way to allow unattended access in my opinion. I don't see why it couldn't behave the same way on macOS. Could you not run remoting_me2me_host as a system daemon so that it behaves similarly to the Windows counterpart? On macOS/OS X computers that I maintain there is a local admin account. Most software, including CRD, is initially installed under this account. Once the computer is handed off to the end user another account is created for that user. A lot of times the account creation needs to be done remotely. Then, when troubleshooting remotely it's usually necessary to switch between user accounts. I've always had problems remotely administering Macs because the connection is always dropping any time a login/logout event occurs. It wasn't until now that I dug deep to figure out why. So no I know and at least there is a workaround - to simply alter the ACL on the CRD config file. I maintain that it would make more sense to have the chromoting process always running to alleviate disconnects and allow access when any user is logged in, just like the Windows version.
,
May 9 2017
Yes, it's definitely possible to improve the way this works, but it's a lot of work and not something we've ever been able to prioritize. On Windows, there's always a process running as Administrator that's responsible for delegating work to another process running as the logged-on user, and this adds a lot of complexity. On Mac, we don't have that process separation--instead there's a single process that quits and is restarted when the user logs in. Changing the ACL on the config file should allow the host to run as those users, but it's not a very secure solution because that file contains authentication credentials for the user who set up the host. Those credentials are very tightly scoped to Chromoting, so there isn't a lot that other user could do (basically just add, rename or delete hosts from your account), but it's still not something we'd want to allow by default. |
|||
►
Sign in to add a comment |
|||
Comment 1 by cmcfarli...@gmail.com
, May 6 201794.7 KB
94.7 KB View Download