Re: Questions about PAM, GDM and gnome-screensaver


> It probably makes sense to provide an option
> where gnome-screensaver will grabserver to ensure other Xprograms
> running as the user can't snoop.  Then this option could be on by
> default on Solaris.
I would advise against that.  It's broken.  If you grab the server
then all single-threaded
gui network applications are going to time out since they'll be
blocking waiting on X and not processing network I/O.

It doesn't prevent snooping either.  All grabbing the server does is
prevent events from getting delivered, it doesn't prevent sniffing the
key presses as they come in.

A 10 line program that calls XQueryKeymap in a loop can catch key
presses even when the server is grabbed.

> Instead we want to run the GUI as the
> user, and have this program talk to a daemon (perhaps via D-Bus)
> which runs as root and is responsible for PAM interaction, much like
> GDM (and the hacked xscreensaver we currently use) does.  Hopefully this
> is more clear now.
I don't think it would necessarily be bad if the pam conversation took
place in a process that's separate from the gui.  I don't think that
process should run as root though.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]