Re: Questions about PAM, GDM and gnome-screensaver

From: Brian Cameron <Brian Cameron Sun COM>
To: William Jon McCann <mccann jhu edu>
Cc: screensaver-list gnome org, Gary Winiger <gww eng sun com>
Subject: Re: Questions about PAM, GDM and gnome-screensaver
Date: Wed, 19 Dec 2007 18:11:54 -0600


Jon:

On Dec 19, 2007 3:05 PM, Brian Cameron <Brian Cameron sun com> wrote:
...

For one thing I think there is a pretty significant difference in
how "Trusted Path" is considered by Linxu vs. Solaris:

Linux   - The goal seems to be to avoid running process with privilege,
           even when doing security sensitive functionality like PAM.

Solaris - The goal is to ensure that the interaction cannot be
           tampered with or disclosed.  This takes priority over any
           risks running PAM itself with lower privilege.  That said,
           Solaris does support "least privilege" for ensuring that
           PAM modules can be implemented to run with as little
           privilege as possible regardless who calls it.


Can you please describe why you think that what you are doing now can
be considered using a Trusted Path?


On Solaris, the users who have the strongest "Trusted Path" requirement
are most likely using CDE still.  CDE has the lock program integrated
into dtsession, which runs setuid root.  One nice thing about this
approach is if the screen saver crashes it also brings down the session
and takes you back to the login screen.

In JDS, we use a modified xscreensaver.  The GUI runs as the user and
the backend, which interacts with PAM, runs as root.

Also please describe your plan
for how you think we can achieve a trusted path for reauthentication
and credential renewal while operating within a user's graphical
session.


I suggested that merging GDM and gnome-screensaver might be one
approach.  Hacking gnome-screensaver so that the PAM interaction
is handled by a separate daemon process that runs as root with a
D-Bus interaction between them would get us as close as xscreensaver
currently gets us.  It probably makes sense to provide an option
where gnome-screensaver will grabserver to ensure other Xprograms
running as the user can't snoop.  Then this option could be on by
default on Solaris.

> And I'd appreciate it if you could specifically address some

of the points raised by Ray and others in previous threads.


In my discussion, I've tried to answer all the points raised so far.
Are there any that I specifically missed that you are thinking of?
Ray, are there further questions you have?

Ray's past questions mainly seemed to be about gaining a better
understanding of why we wanted to run PAM interactions as root, which I
think should be more clear now.  Also, by reading Ray's comments, I get
the impression that he thought we wanted to run the gnome-screensaver
GUI as root, which is not true.  Instead we want to run the GUI as the
user, and have this program talk to a daemon (perhaps via D-Bus)
which runs as root and is responsible for PAM interaction, much like
GDM (and the hacked xscreensaver we currently use) does.  Hopefully this
is more clear now.

Brian

Follow-Ups:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Ray Strode

References:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]