Re: gnome-screensaver trustworthy??

["William Jon McCann" <mccann jhu edu>]

Hi Mahmood,

CC'ing the screensaver list.

On 2/20/07, Mahmood Ali - Sun Microsystems <Mahmood Ali sun com> wrote:
> Hey Jon,
>
> Sorry for the late response. I heard you have rewritten how
> authentication is done and made the backend to drive the GUI. That is
> neat. I would like to test it, but i have one fundamental issue left
> with gnome-screensaver:
>
> ****The setuid root bit needs to be set on gnome-screensaver process.****

> The reason behind this is the security requirement for any program that
> does any type of authentication at Sun. Basically, the argument goes
> that the authentication program needs to be trustworthy and for it to be
> trustworthy no non root owned program should be in the middle of the
> user and the program that does the authentication.
>
> In case of gnome-screensaver the gnome-screensaver process is run with
> normal logged in user privileges and it then uses a helper setuid root
> process that does the authentication. The issue here is someone can
> rewrite the gnome-screensaver and the new program can simply collect
> passwords and do other mischief. There is no way for gnome-screensaver
> to guarantee this would not happen, basically not trustworthy and not
> bullet proof. Do you agree?

No, I don't agree.  The gnome-screensaver process doesn't know
anything about authentication.  It uses gnome-screensaver-dialog to
handle auth and it looks for that executable in a hardcoded location
(usually /usr/libexec).  That subprocess doesn't expose any auth
information to the parent - it basically only returns a boolean
yes/no.

To be honest I'm not sure I understand your argument.  If someone has
the ability to rewrite software and install it on your system into a
trusted location the game is over.

> I understand the problem with setting root bit on gnome-screensaver will
> break libgtk, as it is not secure and exits whenever root owned programs
> call into the libgtk. But, this limitation on the part of libgtk cannot
> be compromised by making the gnome-screensaver vulnerable to spoofing.

Can you please explain in detail why you think there is a problem?  I
fail to see how this is a problem and your requirement doesn't even
come close to solving spoofing issues.  Regardless of what
gnome-screensaver does, if someone has the ability to compile and
install software there is nothing preventing them from popping up a
full screen window and asking for a password anytime they please,
right?

> A solution to this was developed by Ximian for Sun long time ago when
> they ported xscreensaver to Solaris by breaking it into two processes.
> The xscreensaver daemon process is run with setuid root and it has no
> libgtk code in it. For authentication it execs a libGtk based non root
> process that displays user prompt strings coming from PAM stack to this
> execed libGtk dialog box through a two way pipe. The GUI then sends the
> passwords/etc typed by the user back to the daemon through the 2nd pipe.
>
> Essentially, the requirement of the setuid root bit to be set on
> gnome-screensaver is our biggest obstacle to move to gnome-screensaver.
> This will require similar labotomy to gnome-screensaver that was done on
> xscreensaver. And unless you agree to this solution and are willing to
> take the patch which does this I cannot proceed forward with
> gnome-screensaver, as it would be difficult to maintain two sets of
> screensaver programs (my modified xscreensaver, my modified
> gnome-screensaver) locally at Sun :-(

In general, I don't think adding suid root is a good thing to do.  And
in this case I don't think that it makes the system more secure -
quite the contrary actually.  If you can please try explain in detail
why you think there is a problem and how using setuid solves it
without introducing other problems.

Thanks,
Jon