Re: gnome-screensaver trustworthy??

Hi Mahmood,

CC'ing the screensaver list.

On 2/20/07, Mahmood Ali - Sun Microsystems <Mahmood Ali sun com> wrote:
Hey Jon,

Sorry for the late response. I heard you have rewritten how
authentication is done and made the backend to drive the GUI. That is
neat. I would like to test it, but i have one fundamental issue left
with gnome-screensaver:

****The setuid root bit needs to be set on gnome-screensaver process.****

The reason behind this is the security requirement for any program that
does any type of authentication at Sun. Basically, the argument goes
that the authentication program needs to be trustworthy and for it to be
trustworthy no non root owned program should be in the middle of the
user and the program that does the authentication.

In case of gnome-screensaver the gnome-screensaver process is run with
normal logged in user privileges and it then uses a helper setuid root
process that does the authentication. The issue here is someone can
rewrite the gnome-screensaver and the new program can simply collect
passwords and do other mischief. There is no way for gnome-screensaver
to guarantee this would not happen, basically not trustworthy and not
bullet proof. Do you agree?

No, I don't agree.  The gnome-screensaver process doesn't know
anything about authentication.  It uses gnome-screensaver-dialog to
handle auth and it looks for that executable in a hardcoded location
(usually /usr/libexec).  That subprocess doesn't expose any auth
information to the parent - it basically only returns a boolean

To be honest I'm not sure I understand your argument.  If someone has
the ability to rewrite software and install it on your system into a
trusted location the game is over.

I understand the problem with setting root bit on gnome-screensaver will
break libgtk, as it is not secure and exits whenever root owned programs
call into the libgtk. But, this limitation on the part of libgtk cannot
be compromised by making the gnome-screensaver vulnerable to spoofing.

Can you please explain in detail why you think there is a problem?  I
fail to see how this is a problem and your requirement doesn't even
come close to solving spoofing issues.  Regardless of what
gnome-screensaver does, if someone has the ability to compile and
install software there is nothing preventing them from popping up a
full screen window and asking for a password anytime they please,

A solution to this was developed by Ximian for Sun long time ago when
they ported xscreensaver to Solaris by breaking it into two processes.
The xscreensaver daemon process is run with setuid root and it has no
libgtk code in it. For authentication it execs a libGtk based non root
process that displays user prompt strings coming from PAM stack to this
execed libGtk dialog box through a two way pipe. The GUI then sends the
passwords/etc typed by the user back to the daemon through the 2nd pipe.

Essentially, the requirement of the setuid root bit to be set on
gnome-screensaver is our biggest obstacle to move to gnome-screensaver.
This will require similar labotomy to gnome-screensaver that was done on
xscreensaver. And unless you agree to this solution and are willing to
take the patch which does this I cannot proceed forward with
gnome-screensaver, as it would be difficult to maintain two sets of
screensaver programs (my modified xscreensaver, my modified
gnome-screensaver) locally at Sun :-(

In general, I don't think adding suid root is a good thing to do.  And
in this case I don't think that it makes the system more secure -
quite the contrary actually.  If you can please try explain in detail
why you think there is a problem and how using setuid solves it
without introducing other problems.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]