Is there a way in Linux to have two different users log into the same graphical session?

Question

What I am trying to do:

I have a machine that is treated as an appliance, it has multiple graphical applications open, and these must not be closed at any time.

HumanA might turn on the system, launch the applications, then lock the screen.

There is a shift change, and HumanB now takes the responsibility of the machine.

HumanB now needs to log into the system, and see the same graphical applications that HumanA launched.

How I do it today

Today we achieve this by having one user account (UserX) and both HumanA and HumanB know the password to UserX.

The problem is with the auditing of this system. If we determine something very bad happened over the weekend, the log file would only tell us that UserX logged in. This fails to meet our regulations.

What I need it to do

I need HumanA and HumanB to not know each others password or a shared password.

I need HumanA and HumanB to he able to log in and see the same graphical user environment.

I need to be able to determine which Human logged in at what time, from an audit point of view.

** Clarifications **

This is a computer/monitor/keyboard setup, no remote or ssh sessions to worry about.

The humans don't use the system at the same time.

Any trick that involves "moving" the application can't cause any interruption in high performance computing tasks, even a 1 millisecond interruption is not acceptable.

We currently use yocto and XFCE.

The application can not be re-written or redesigned, it must remain graphical.

Answer 1

You could continue to have UserX open the graphical session, but add another application that does a screengrab over the graphical applications. HumanA can "log in" through that screengrab application. The application would record that HumanA is now operating the system.

At the end of a shift, HumanA "logs out" by restarting the screengrab application (over the long-running graphical applications), so when HumanB arrives, she must "log in" through the screengrab, and the user change can be recorded.

Answer 2

It's a bit hackish, but I think you could manage it by using multiple users with the same uid. You could would have on /etc/passwd:

Appliance:x:1000:1000::/home/machine:/bin/bash
HumanA:x:1000:1000::/home/machine:/bin/bash
HumanB:x:1000:1000::/home/machine:/bin/bash

(plus corresponding entries on /etc/shadow, you may passwd HumanA)

The system actually identifies the users by their uid. So, with a setup like this, you can enter both HumanA (with HumanA's password) or HumanN (with HumanB's password), and you will end up at the same session. It will however log the user provided for login.

When the system wants to resolve uid 1000 to a name, it will find the first resullt and just return "Appliance".

The same trick could be performed with other nss providers, of course.