Re: Prompting for passwords on the desktop?




Stef:

Is there a standard way or goal for the UI and behavior of password
prompts on the desktop? Besides having as few as possible, that is.

There is Trusted Path to consider.  To meet Trusted Path requirements,
any entry of the root password needs to be done via a trusted user.
This means that the dialog would need to run as a special trusted user,
and not as the user whose session is running.  Much like the GDM GUI
programs are run by the special "gdm" user.  Otherwise, someone who has
gained a user privilege could possibly snoop process memory space to
get the root password.  Also if the dialog is running as the user and
core dumps (or can be induced to core dump), then the password may be
left behind in the core file readable by the user.  Also the dialog
would need to run with a separate Xauth connection to the Xserver to
protect against snooping via X interfaces.

However, to resolve this problem would require a fairly significant
amount of infrastructure that does not exist today.  Most people feel
that the existing security is "good enough", but sysadmins with strict
Trusted Path requirements would likely have to disable programs from
asking for root passwords in dialogs via programs like gnome-keyring,
PolicyKit, or gksu.

gnome-screensaver has similar Trusted Path issues.  I understand Jon
McCann is planning to fix this by making the screen lock program show
up in a separate Xserver running as a trusted user.  This would work
via a mechanism similar to VT switching.  Once that is done, perhaps
that could be extended so programs like gnome-keyring or gksu could use
a similar interface for added security and for meeting Trusted Path
requirements.  That would also resolve a lot of the grabbing and
focus issues that plague programs asking for sensitive root passwords
in a user session.

So this information is probably not useful in the short term, but
something to be aware of.  A long-term goal should be to address these
issues so that root password entry is handled in a more secure fashion
in the future.

Brian


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]