Re: [gdm-list] Security?
- From: "Ray Strode" <halfline gmail com>
- To: "Jiri Lebl" <jirka 5z com>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] Security?
- Date: Fri, 30 Nov 2007 12:43:58 -0500
Hi George,
> Maybe the original version of gdm cookie generation was overkill on desktop
> linux machine (note that gdm should run on more than linux, and gdm should be
> secure even when not on linux). But this is UNDERKILL.
So just a couple of comments,
- In the local case, we probably want to rely on socket peer
credentials instead of auth cookies anyway (i.e., does the user
calling XOpenDisplay have a uid that's okay with the server)
- If you ask the X server for an auth cookie (using
XSecurityGenerateAuthorization), it will give you one back using an
algorithm very similar to the one we're using now
- In the remote case, XDMCP is pretty insecure regardless. Everything
goes over the wire unencrypted, for instance. So you should really
only be using it if you know you're in a secure environment.
- It wouldn't be hard to make _generate_random_bytes call
g_random_set_seed every 4 bytes (or use make our own GRand instance
each call with enough entropy for the size passed in). I can look
into doing that.
--Ray
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]