Re: gdm: shadow unfriendly

[Martin Kasper Petersen <mkp socsci auc dk>]

>>>>> "Dave" == Dave Boynton <dboynton@worldnet.att.net> writes:

Dave> We should probably suspend this discussion until the newer gdm
Dave> is posted to the cvs server. If I remember correctly, the
Dave> maintainer stated that he had a newer version.

I'm currently fixing conflicts between the gdm in CVS and the stuff
I've been working on while I was away.

I expect to be done either tonight or tomorrow.


Dave> For the record, though, the current gdm does run as root, and
Dave> wouldn't need to be suid, since it runs from init.  

gdm is not *required* to be run from init. Some people might prefer a
/etc/init.d/gdm script or something similar.

But anyway: gdm shouldn't be setuid, no. You don't want ordinary users
to be able to run it.


Dave> Gdmgreeter was set to run as nobody, but was also doing the
Dave> password checking.

Yup. But the password checking was moved to the gdm slave process more
than a week ago. Actually, if you read gdmslave.c from CVS you will
see that the change was imminent.

Doing auth in gdmslave does not only solve the shadow vs. PAM problem
but is necessary for other things like PAM session management.


Dave> What if a new exploit is discovered that allows a remote user to
Dave> obtain "nobody" access to your machine, via Apache, or Sendmail?
Dave> Could they then get a process in memory that attacks the
Dave> gdmgreeter, also running as nobody, to sniff login/passwords?
Dave> Any process that even handles passwords, must be paranoid.

The userid under which gdmgreeter is run can be specified in
gdm.conf. Insert your favorite choice here.

The daemon part of gdm is deliberately kept small and simple for
security reasons. Furthermore, Alan has been involved in securing gdm
from day 1.

In contrast the xdm source is an unaudited, unreadable mess. -- A maze
of twisty little setjmps all alike...

-- 
Martin Kasper Petersen			BOFH, IC1&2, Aalborg University, DK
mailto:mkp@SunSITE.auc.dk		http://www.socsci.auc.dk/~mkp/