Re: Questions about PAM, GDM and gnome-screensaver


> For example, one issue with running gnome-screensaver or PAM as the user
> is that it could be affected by the user environment (perhaps by a
> GTK_MODULE) or might be snoop-able if the user can, for example,
> inspect the memory of other processes running as the same user.  This
> obviously breaks Trusted Path rules as defined on Solaris.
By snoopable do you mean, "someone with user's privileges grabbing the
password as it gets typed" ?

> In other words, any PAM interaction which allows users to write
> their own code and run it cannot be a part of the Solaris
> security functions.

> As we have discussed in the past, I think part of the screensaver
> requirements on Solaris is that all PAM interactions happen as a
> system user with appropriate rights to talk to PAM.
I think that's the main point of contention, but I'm not working on
your OS so I'm going to stop arguing about that point

> I think that these requirements also suggest that the GUI part of.
> the program that asks for username and password should not run as
> the user.  I am not quite sure how this should work in practical terms,
> but I am still investigating.
Okay, good.  So we do both agree that the lock dialog GUI shouldn't be
run as root.

> So, from this perspective, the idea of merging GDM and gnome-screensaver
> into one program makes more and more sense.
Moving the lock dialog to gdm is an interesting idea.

> One nice thing about GDM is
> that it is already keeping track of displays, has Xauth knowlege to be
> able to run a GUI program as the "gdm" user on any display running as
> another user. and already has a  mechanism for passing username/password
> information from a GUI running as a system user to a root-running daemon
> that talks to PAM.
I don't think running gdm-user processes in the session is a good
idea.  You either
ignore xsettings and don't get the right theme and a11y modules, or
you allow xsettings and violate your rule above about not letting
GTK_MODULES go into the pam program.

> Also, why have two daemons when one will do fine?
> The more I think about it, the more this direction seems to make
> sense from a "make sure its as difficult as possible to disclose
> sensitive information from the lock screen" perspective.
It doesn't solve the "credentials renewal" problem we talked about
before though.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]