Re: gdm: shadow unfriendly



>>>>> "Miguel" == Miguel de Icaza <miguel@nuclecu.unam.mx> writes:

Sorry about delay. I'm visiting a friend in Switzerland and have been
off the net for a few days.


>> I have a couple of problems with gdm (CVS'd as of 9/29).
>>
>> 1. In order to support shadow passwords, I have to change gdm.conf
>>    to read nobodyuser=root, as only root can access the /etc/shadow
>>    file, even via pam.

Miguel> I dont think we can fix this unless we make gdm suid root, or
Miguel> make gdm run as root always.

The gdm daemon should run as root, yes. 


Miguel> Even then, the only routine used from GNOME is gnome_config
Miguel> and it uses absolute paths, so no inmediate abuse of this
Miguel> comes to mind.

And the greeter program which makes use of more library calls runs as
nobody for security reasons.


>> 3. I noticed that when first starting gdm, via "init 5", I see two
>>    gdm's running, plus the gdmgreeter.  Additionally, there are
>>    three error messages emmited like "gdm already running".

gdm consists of the gdm master process (which will eventually do
XDMCP) and a gdm slave process for each display gdm is managing.

Thus the two gdms you see are correct for a single display
configuration.


Miguel> I think gdm should be started like this "gdm -d" from
Miguel> /etc/inittab, otherwise init goes into respawn mode over and
Miguel> over as gdm daemonizes itself by default, here is how I use
Miguel> it:

Miguel>:x:5:respawn:/gnome/bin/gdm -d

Correct. I renamed -d to -nodaemon to be compatible with xdm (-d used
to mean ``debug'').


>> 4. If the browser isn't enabled, the gdmgreeter window isn't
>>    centered. It stays in the upper left of the X window.

Weird. I though I fixed that long ago. I'll look into it when I get
back home.


/Martin

-- 
Martin Kasper Petersen			BOFH, IC1&2, Aalborg University, DK
mailto:mkp@SunSITE.auc.dk		http://www.socsci.auc.dk/~mkp/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]