Re: i18n problem in GDM



> On Tue, Mar 09, 2004 at 11:33:12AM +0700, Ross Golder wrote:

>> I'd second that. Nice gimmick, but apart from being i18n'ly broken, it
>> also slows down the login process noticably and unnecessarily. Probably
>> best defaulted off ;)
>
> It was added to make it compliant with some US govt code (and others
> probably, see http://bugzilla.gnome.org/show_bug.cgi?id=128940) not as a
> gimmick.  It's a security measure to allow users to note the last time of
> their login before they actually log in.  This is useful since logging in
> could run a malicious login script.  In any case it makes it much easier
> to
> spot that someone else is using your account, and apparently such a
> feature
> seems to be required for at least the dod and likely others.
>

Hehe. I don't know whether to laugh or cry. I find it strange that I could
just walk up to a DOD computer, type in a login and it will confirm that
the account exists and when that person last logged on. I guess I'd still
have to have access to a DOD computer in the first place :)

If I logged into a non-graphical terminal (e.g. 'login' process), it would
only be _after_ I'd successfully authenticated myself as a legitimate user
before it said 'you last logged in on' and I was able to use commands like
'last' to determine who logged in and when.

Anyways, end of rant. I guess, being in the defence (sp - en_GB) business,
it's up to the DOD to decide on their own definition of security :)

> Also there is absolutely no slowdown because of this, if running 'last'
> slows
> down your system, something is horribly wrong with it.  I suppose 'last'
> should be translated (I assumed it was actually), in this case we will
> have
> to add our own 'last' to gdm like we have say our own version of 'open'
> where we can.
>

Does the 'last' check run in a seperate thread, or does it block the
password entry? Under load 'last' can take around ten seconds on my
machine, and that's only for one months of logins on a single-user laptop.
I don't want to grow a beard waiting to be able to enter my password :)

Also, IMHO, it'd be better to handle the lookup within gdm, using  wtmp
file directly and l10n'ing the output using gettext. Should make it even
quicker, and solve the i18n issue.

> But in any case, it is a security feature, not a gimmick, and one that is
> in
> fact required in some installations.  We can turn it off by default for
> 2.6
> in the config file.
>

OK, sorry for calling it a gimmick. I didn't expect that it could be such
a serious <giggle>security feature</giggle>. Still, it's probably best to
turn it off by default and let security-conscious people (like the DOD)
turn it on if they really want/need it :)

Cheers,

--
Ross





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]