Re: Questions about PAM, GDM and gnome-screensaver

From: "Ray Strode" <halfline gmail com>
To: "Brian Cameron" <Brian Cameron sun com>
Cc: screensaver-list gnome org, Gary Winiger <gww eng sun com>
Subject: Re: Questions about PAM, GDM and gnome-screensaver
Date: Thu, 20 Dec 2007 10:40:44 -0500

Hi,

> It probably makes sense to provide an option
> where gnome-screensaver will grabserver to ensure other Xprograms
> running as the user can't snoop.  Then this option could be on by
> default on Solaris.
I would advise against that.  It's broken.  If you grab the server
then all single-threaded
gui network applications are going to time out since they'll be
blocking waiting on X and not processing network I/O.

It doesn't prevent snooping either.  All grabbing the server does is
prevent events from getting delivered, it doesn't prevent sniffing the
key presses as they come in.

A 10 line program that calls XQueryKeymap in a loop can catch key
presses even when the server is grabbed.

> Instead we want to run the GUI as the
> user, and have this program talk to a daemon (perhaps via D-Bus)
> which runs as root and is responsible for PAM interaction, much like
> GDM (and the hacked xscreensaver we currently use) does.  Hopefully this
> is more clear now.
I don't think it would necessarily be bad if the pam conversation took
place in a process that's separate from the gui.  I don't think that
process should run as root though.

--Ray

Follow-Ups:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Alan Coopersmith

References:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]