Re: [gdm-list] Security?

From: "Ray Strode" <halfline gmail com>
To: "Jiri Lebl" <jirka 5z com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Security?
Date: Fri, 30 Nov 2007 12:43:58 -0500

Hi George,

> Maybe the original version of gdm cookie generation was overkill on desktop
> linux machine (note that gdm should run on more than linux, and gdm should be
> secure even when not on linux).  But this is UNDERKILL.

So just a couple of comments,

- In the local case, we probably want to rely on socket peer
credentials instead of auth cookies anyway (i.e., does the user
calling XOpenDisplay have a uid that's okay with the server)
- If you ask the X server for an auth cookie (using
XSecurityGenerateAuthorization), it will give you one back using an
algorithm very similar to the one we're using now
- In the remote case, XDMCP is pretty insecure regardless.  Everything
goes over the wire unencrypted, for instance.  So you should really
only be using it if you know you're in a secure environment.
- It wouldn't be hard to make _generate_random_bytes call
g_random_set_seed every 4 bytes (or use make our own GRand instance
each call with enough entropy for the size passed in).  I can look
into doing that.

--Ray

Follow-Ups:
- Re: [gdm-list] Security?
  - From: George

References:
- [gdm-list] Security?
  - From: Jiri Lebl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]