Re: [gdm-list] gnome-screensaver authenticates users through GDM
- From: Alan Coopersmith <Alan Coopersmith Sun COM>
- To: Jeff Cai <Jeff Cai Sun COM>
- Cc: gdm-list gnome org, screensaver-list gnome org
- Subject: Re: [gdm-list] gnome-screensaver authenticates users through GDM
- Date: Sun, 17 Jan 2010 23:16:31 -0800
Jeff Cai wrote:
> On Fri, 2010-01-15 at 10:02 -0800, Alan Coopersmith wrote:
>> Brian Cameron wrote:
>>> Another advantage is that on the console, this could be written so
>>> the authentication dialog screen is presented on a separate VT and
>>> runs as the "gdm" user, providing better TrustedPath security. This,
>>> for example, ensures that the authentication dialog is not using
>>> the same Xauth cookie as the user's session, avoiding any possible
>>> interference or snooping from a userland program.
>> Running unlock on another X server actually provides even more benefits:
>
> Currently, before a user logs in GNOME, I find root user's Xorg keeps
> running. Why it is not a normal user's X server like 'gdm'?
Xorg starts as root to have the permissions needed open & initialize devices.
On Solaris & OpenSolaris, there's a backchannel between gdm & Xorg to provide
a username to switch to when it should run as someone else - this happens at
login, but presumably not for the mini-session gdm now runs before login.
(I suppose it could do so, would just need to update the gdm patch that does
so - but I haven't verified that Xorg can switch uids between non-root users
without restarting - that would need to be tested.)
--
-Alan Coopersmith- alan coopersmith sun com
Sun Microsystems, Inc. - X Window System Engineering
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
