Re: Jon - question about GDM and gnome-screensaver

[Brian Cameron <Brian Cameron Sun COM>]

Jon:

Responding to the screensaver-list gnome org list for a wider audience
as Jon suggested.

Basically, I am trying to restart the discussion that was had in
February, 2006 about supporting gnome-screensaver on Solaris:

http://mail.gnome.org/archives/screensaver-list/2006-February/msg00000.html

>> Do you think it makes more sense for us to start hacking on
>> gnome-screensaver to make it work on Solaris, or do you think the
>> right long-term plan is to make GDM and gnome-screensaver use the
>> same PAM backend code to make this issue go away?
>
> Not directly.  Although one possible approach is to never show a lock
> dialog in gnome-screensaver but to just go back to the GDM greeter.
> This is more feasible once you get VT switching and we use the
> FactoryDisplay.

This might be a possible solution for some users, but is not really a
general solution.  You can't really assume that VT's are always
available.  For example, it might work reasonably on the console, but
not for a multi-user server or for remote XDMCP displays.

I was really wondering if you think it would be better to try to pursue
getting gnome-screensaver to work on Solaris, or whether you thought it
made more sense to try and share features between GDM and
gnome-screensaver.  Since GDM is managing the displays, it might make
more sense for GDM to control locking displays, for example.  Or it
might make sense for GDM and gnome-screensaver to share a single
underlying PAM implementation.  The main difference in how GDM and
gnome-screensaver interact with PAM is mainly with auditing.

>> As you probably already know, the main issue with gnome-screensaver
>> is that on Linux PAM allows users to authenticate themselves and this
>> feature does not work on Solaris.  We have already talked with the
>> Sun PAM team, and they have already decided that the Linux approach
>> is not suitable for Solaris.  So, I think we need to split
>> gnome-screensaver into two processes so that one can run as a daemon
>> and interact with PAM while the other process provides the GUI and
>> runs as the user.
>
> I am still not convinced that your PAM team is correct either.

In summary, the PAM mechanisms that allow PAM to authenticate as self
work with common PAM configurations, but not all PAM configurations:

Some examples:

https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/64301
http://www.caliban.org/mt/archives/2006/10/
http://bugzilla.gnome.org/show_bug.cgi?id=370847

So, I don't think the desire to support interacting with PAM modules as
root (or with privilege) is really a Sun-specific thing.

> From
> what I remember of the discussion on the list, no one had any real
> good responses to comments from Ray and Nalin and others.

Looking over the previous conversation, I don't see any questions by
Ray.  It seems the only issue you and Nalin had was about this issue:

> 2) As soon as the screen gets locked pam_authenticate needs to be
> called and code should loop inside the pam_conversation function.
> Currently, pam_authenticate gets called only when a user moves the
> mouse or keyboard while the screen is locked.

To be honest, I am not sure if this is really necessary either.  Alan
highlighted the smart card use case where users probably want the
SmartCard entry to wake up the screensaver rather than requiring
mouse or keyboard events.  But it probably wouldn't be the end of
the world if such users had to wiggle their mouse after SmartCard
entry to wake up the screensaver.

Issues #1 and #4 in the original email seem to have already been
addressed by you, and issue #3 is simply that SunAudit logic needs to be
added, which you seem to agree.  Refer here:

http://mail.gnome.org/archives/screensaver-list/2006-June/msg00000.html

In short, I think if we want to make gnome-screensaver work on Solaris
we probably should start by making it possible for it to work with
the PAM interaction handled by a separate root-owned daemon and to
add SunAudit logic.  Does this seem reasonable?

But I wanted to see if the plans to rewrite GDM might also be
affecting gnome-screensaver plans.  As I suggest above, perhaps we
should be working towards making GDM manage locking directly or use
common code for interacting with PAM?

> Probably good to continue this discussion on the list.

Sure, forwarding discussion there now...

Brian