Re: Questions about PAM, GDM and gnome-screensaver



Ray:

I just recently traded emails with Gary Winiger, PAM expert here at Sun,
so I think I have a better understanding of Solaris PAM and Trusted Path
requirements.  So I wanted to talk about this a bit more in this thread.
I am still cc:ing Gary, so hopefully he will chime in if further
clarification is necessary, or if I get anything wrong.

For one thing I think there is a pretty significant difference in
how "Trusted Path" is considered by Linxu vs. Solaris:

Linux   - The goal seems to be to avoid running process with privilege,
          even when doing security sensitive functionality like PAM.

Solaris - The goal is to ensure that the interaction cannot be
          tampered with or disclosed.  This takes priority over any
          risks running PAM itself with lower privilege.  That said,
          Solaris does support "least privilege" for ensuring that
          PAM modules can be implemented to run with as little
          privilege as possible regardless who calls it.

For example, one issue with running gnome-screensaver or PAM as the user
is that it could be affected by the user environment (perhaps by a
GTK_MODULE) or might be snoop-able if the user can, for example,
inspect the memory of other processes running as the same user.  This
obviously breaks Trusted Path rules as defined on Solaris.

In other words, any PAM interaction which allows users to write
their own code and run it cannot be a part of the Solaris
security functions.

GDM, for example, solves this by running the login GUI screen as a
system user (the "gdm" user) and with a root daemon which interacts
with PAM.  In this setup, there is no way a user can affect the
transaction, and the communicated data is protected from disclosure
or undetected modification.

As we have discussed in the past, I think part of the screensaver
requirements on Solaris is that all PAM interactions happen as a
system user with appropriate rights to talk to PAM.

I think that these requirements also suggest that the GUI part of
the program that asks for username and password should not run as
the user.  I am not quite sure how this should work in practical terms,
but I am still investigating.

So, from this perspective, the idea of merging GDM and gnome-screensaver
into one program makes more and more sense.  One nice thing about GDM is
that it is already keeping track of displays, has Xauth knowlege to be
able to run a GUI program as the "gdm" user on any display running as
another user. and already has a  mechanism for passing username/password
information from a GUI running as a system user to a root-running daemon
that talks to PAM.  Also, why have two daemons when one will do fine?
The more I think about it, the more this direction seems to make
sense from a "make sure its as difficult as possible to disclose
sensitive information from the lock screen" perspective.

Any ideas, or thoughts, would be appreciated.  At the very least,
I would like to get the Solaris versus Linux approaches towards security
and Trusted Path more clear.  I think it is easier to talk about
how gnome-screensaver might evolve to meet differing requirements once
those requirements are more clear.

Brian


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]