Re: gnome-screensaver trustworthy??
- From: "Ray Strode" <halfline gmail com>
- To: screensaver-list gnome org
- Cc: Mahmood Ali - Sun Microsystems <Mahmood Ali sun com>
- Subject: Re: gnome-screensaver trustworthy??
- Date: Tue, 20 Feb 2007 23:38:06 -0500
(resending to the list, because I clicked the wrong Reply button)
Hi,
> ****The setuid root bit needs to be set on gnome-screensaver process.****
> The reason behind this is the security requirement for any program that
> does any type of authentication at Sun. Basically, the argument goes
> that the authentication program needs to be trustworthy and for it to be
> trustworthy no non root owned program should be in the middle of the
> user and the program that does the authentication.
huh? why?
> In case of gnome-screensaver the gnome-screensaver process is run with
> normal logged in user privileges and it then uses a helper setuid root
> process that does the authentication. The issue here is someone can
> rewrite the gnome-screensaver and the new program can simply collect
> passwords and do other mischief. There is no way for gnome-screensaver
> to guarantee this would not happen, basically not trustworthy and not
> bullet proof. Do you agree?
There really is no reason anything shipped with gnome-screensaver
should be setuid. The most secure way to handle authentication (as
with other things) is to limit the amount of code that runs
privileged. Ideally, your pam modules should be able to handle all
the authentication on their own.
In RHEL/Fedora, we ship a setuid program called unix_chkpasswd as part
of our default pam setup. It lets the currently logged in user
reauthenticate their session. It doesn't allow one user to verify
another user's password, or anything of that nature. It's also merely
an implementation detail of the pam_unix pam module. It's a small,
easily auditible program, with a well defined task and it
automatically solves the problem of reauthentication for all programs
that need it without those programs having to run privileged
themselves.
Really, that type of program is the only type of program that should
be setuid. Anything more complicated just has the potential to cause
security holes.
Regardless of what
gnome-screensaver does, if someone has the ability to compile and
install software there is nothing preventing them from popping up a
full screen window and asking for a password anytime they please,
right?
It's even worse than that. If a program has access to the user's
display at all, then all bets are off. A malicious app wouldn't need
to spoof anything, it could just sit back and call XQueryKeymap in a
loop and pick up every keystroke the user presses (even keypresses
that occur while a keyboard grab is in place!) The next time the user
unlocks the screen, or logs into a bank website, or whatever, game
over. If an app can open the display, the app can do anything it
wants basically (which is all the more reason to make sure X clients
aren't running setuid).
--Ray
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
