Re: [gdm-list] Screensaver Solution Discussion

From: Bob Doolittle <Robert Doolittle Sun COM>
To: Jeff Cai <Jeff Cai Sun COM>
Cc: GNOME Accessibility <gnome-accessibility-list gnome org>, Alan Coopersmith <Alan Coopersmith Sun COM>, gdm-list gnome org, screensaver-list gnome org
Subject: Re: [gdm-list] Screensaver Solution Discussion
Date: Thu, 21 Jan 2010 14:16:46 -0500

I'm sorry but I made some cut/paste error. You need to callpam_authenticate() immediately after step 2. You certainly aren't goingto have gdm's pam_conf() function invoked until you do :)

I remember writing that, but obviously managed to fat-finger it awaybefore sending this out. :-\


Sorry about that,
  Bob

Bob Doolittle wrote:

I've annotated your steps below with more specific PAM invocations:

Jeff Cai wrote:
I summarized the steps about how screensaver works. Because a usercan disable VT, also because VT has not been supported on someplatforms yet, for example SUN Sparc,
we will handle both situations separately.
1. After the user logs in, the user's gnome-screensaver (usersession) process will
start.
pam_start() should be called
2. When gnome-session tells that the session is idle,
gnome-screensaver
will start a full-screen window and grab the keyboard and the pointer,
that is to say, the user's session is locked.
gnome-screensaver tells GDM that the user's session is locked. GDMwill start initializing PAM and creates the unlock dialog if VT is
enabled.
Potentially gnome-screensaver's pam_conv() function may be called.Your steps below assume that it is.
Don't forget however that the pam_conv() function may never be calledif a PAM module marked as "sufficient" on the auth stack returnsPAM_SUCCESS before any later PAM module invokes the conversationfunction. This could happen for any sort of device that does externalauthentication independent of the conversation function, such as asmartcard reader that has a built-in PIN pad which doesn't require anyX-based dialog/interaction, for instance. In such a case none of thebelow steps would occur (no unlock dialog ever displayed, no waitingfor user mouse/kb event).
It's crucial in this model that no local X server grab affect theability for gnome-screensaver to interact with another VT. I imaginethere's no issue here but I raise this point just in case. If there isa grab in effect by some other application (e.g. firefox has a menupulled down) and gnome-screensaver performs any sort of X operation onthe local display that thread will *block*. This is the sort ofvulnerability we are trying to resolve by utilizing a different VT forauthentication.
I'm not going into the details about calls to pam_setcred (REFRESH),pam_acct_mgmt, and pam_open_session (this last call may not berequired for gnome-screensaver, although perhaps when it interactswith a new VT it is? You'd need to check with a better PAM expert thanI on this).
-Bob
3. If the user moves the mouse or hit the keyboard
  3a. If VT is enabled, gnome-screensaver will ask GDM to show the
unlock
dialog on another DISPLAY, and ask VT manager to switch to thatDISPLAY. Then the user inputs the correct password, GDM tellsgnome-screensaver todestroy the window and release the keyboard and the mouse. Do the VTswitching
to the user's DISPLAY.

3b. If VT is not enabled, gnome-screensaver will show the unlock
dialog, interacting with GDM on PAM authentication. If the user inputthecorrect password, gnome-screensaver will destroy the lock window andrelease the keyboard and the mouse.
For 3a, since a new GDM session is created, and GDM has alreadysupported the accessibility, we don't need more work to do.
But for 3b, we need consider to support the accessibility for the
unlock dialog. Here I CCed a11y list in order to hear their opinions.
Can I start a new at-spi-registryd for the unlock dialog? This daemonruns on a new DBUS session daemon listening on a new DBUS address.The unlock process and ATs will communicate with this session daemon,which will not affect the old daemon.
Jeff




_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list

References:
- [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Jeff Cai
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Brian Cameron
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Alan Coopersmith
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Jeff Cai
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Alan Coopersmith
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Jeff Cai
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Brian Cameron
- [gdm-list] Screensaver Solution Discussion
  - From: Jeff Cai
- Re: [gdm-list] Screensaver Solution Discussion
  - From: Bob Doolittle

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]