Re: Questions about PAM, GDM and gnome-screensaver

From: Brian Cameron <Brian Cameron Sun COM>
To: William Jon McCann <mccann jhu edu>
Cc: screensaver-list gnome org, Gary Winiger <gww eng sun com>
Subject: Re: Questions about PAM, GDM and gnome-screensaver
Date: Thu, 20 Dec 2007 13:43:53 -0600


Jon:

In my opinion, this entire discussion is academic unless you can
protect against trojans.  To me, that is the essence of a trusted
path.  If the user has no way of knowing what is trustworthy what is
the point?  What is the point of protecting against snooping and
requiring all sorts of stuff to run at a higher privilege if any
program can pop up a password prompt at any time (and no one can tell
the difference)?  And visual cues don't cut it either since they can
be spoofed just the same.

Your definition of trusted path may work for command line programs and
login but doesn't really make sense to me for graphical applications.

Windows solves this by using the C-A-Del keybinding.


So, let's see if I understand.

I take it that in order for us to move forward and make
gnome-screensaver a candidate for meeting Solaris lock screen
requirements we would need to do the following:

1) Provide some mechanism to protect against trojans.  Perhaps something
   like the Windows C-A-Del keybinding.

2) Make it possible to configure what user runs the gnome-screensaver
   PAM interaction.  If configured to be a different user than the user
   locking the screen, then gnome-screensaver would have a helper
   program that would run as the configured user to do PAM interaction.
   Probably with a D-Bus connection for the two processes to talk to
   each other, or would any reasonably secure communication mechanism be
   okay?

3) Make it possible to configure the lock screen GUI to run as a
   different user and/or run as the same user with GrabServer.  Perhaps
   not all users would want to run the lock screen program this way, but
   providing these options would make it possible for users who want the
   added protection to do so.

Does that sound reasonable?

The situation here at Sun is that the Xserver team currently owns
xscreensaver.  They have agreed to help do the work to make
gnome-screensaver meet these requirements, but only if we can figure out
a list of requirements that is acceptable to both the gnome-screensaver
maintainers and which meets Sun's Trusted Path requirements.  Also, we
would like some idea about whether these changes could go upstream if
people here at Sun were willing to do the work to create a well-written
patch that did these things.

Perhaps because of past experience with the xscreensaver maintainer
being unwilling to work with us to even discuss accepting our patches,
the Xserver team here at Sun is doubly shy about working in the lock
screen space.

Brian

References:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: William Jon McCann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]