Re: [gdm-list] Security?

[George <jirka 5z com>]

On Fri, Nov 30, 2007 at 01:13:40PM -0500, Ray Strode wrote:
> Well, I'm saying in cases where we can do away with cookies entirely,
> maybe we should.  I was just thinking out loud.

That's fine, but in most (or many) installations 

> Maybe not, but if pseudo-random cookies are the status quo and have
> been for decades, then that should set some expectations about their
> security.  Not saying we can't do better, just trying to add some
> perspective.

And there was a security alert in 2003 or so about it in xdm/kdm.  kdm was
specifically fixed because of it, though I'm not sure xdm is.  This is not a
proper response to a vulnerability.  "The vulnerability existed in software
XY for a long time, hence it need not be fixed, and new software can have the
same vulnerability".

The point is.  I can easily guess the xdm cookie and snoop passwords if I
have an account.  I can reasonably easy do this remotely even if the person
is not using XDMCP because of how braindamaged xdm is.

pseudorandom cookies are not random cookies, they are security by obscurity.
Something is not random just because it looks random.

> Right, we might want to just ditch cookies entirely in the local case
> (Given a new enough X server to support peer creds)

Not all installations of gdm will be like this ... right?

> Reading from /dev/urandom sounds fine.  It would be nice if there was
> a g_random_reset_seed () function or some such that would make it
> fetch a new seed for us.

Why?  I just don't understand your need to involve GRand.  GRand is
deterministic.  You gain NO SECURITY by using GRand.  You gain nothing!  Why
use it?

George

-- 
George <jirka 5z com>
   Supreme executive power derives from a mandate from the masses,
   not from some farcical aquatic ceremony.
                       -- Dennis (the bloody peasant)