Fwd: continued discussion on trustworthiness of gnome-screensaver

["William Jon McCann" <mccann jhu edu>]

---------- Forwarded message ----------
From: Ray Strode <halfline gmail com>
Date: Feb 23, 2007 6:50 PM
Subject: Re: continued discussion on trustworthiness of gnome-screensaver
To: Mahmood Ali - Sun Microsystems <Mahmood Ali sun com>
Cc: William Jon McCann <mccann jhu edu>


Hi,

> Could you guys kindly briefly explain in your words of your
> understanding of PAM and how it should be used. I think there is a big
> disconnect on how we think it should be used and how you guys think of it.
PAM should be used for authenticating, reauthenticating, and
authorizing a user for login access.

programs running within the user's session should be allowed to
reauthenticate the user that is currently logged in.  They should not
be able to authenticate new users, and if they are only
reauthenticating a user they shouldn't have to be run setuid root.

If a pam module needs to do some sort of access that requires root
privileges (like check the shadow file, or read a fingerprint scanner)
then it should spawn a setuid root helper that *only* does the minimum
it has to as root.  This is all an implementation detail of the pam
module though.  It's not something the program that's reauthenticating
the user should ever have to worry about.

>  From my reading of your responses i am a little confused.
>
> Is the authentication program (unix_chkpasswd)  simply hardwired to
> authenticate a particular user based on a password(text entry)? Is it
> assuming that user is only going to type some kind of response and only
> going to do it once?
unix_chkpasswd is a setuid helper for the pam_unix module.  It was
just an example.  pam_unix only supports username/password
authentication.  Other pam modules can do more exotic things, of
course, and they may require their own setuid helper if those exotic
things require root privileges.

> How do you deal with the case when the screen is locked and a user's
> password has expired in that state, do you log him back with the old
> password?
Yes.  gnome-screensaver runs acct modules so that necessary
bookkeeping can be performed, but still allows the user access back to
the system even if those acct modules fail.  The reason is, if the
screensaver is running then the user is already logged in, just as if
they were ssh'd in, or logged in via the console.  All the screensaver
lock dialog does is say "Is the person who locked the screen back?"
It's not the screensaver's job to handle authorization, just
reauthentication.  The authorization step already happened when the
user logged in.  They are already authorized.  If you want to be able
to immediately revoke that authorization, the lock dialog isn't the
place to enforce that.  What if the user never locks their screen?
One way to generally revoke a users authorization, would be to have
some sort of background daemon that kills all processes that belong to
a user when the account is revoked.

> What happens if there is a fingerprint scanner instead of a
> password requirement or both?
That would need to be handled by a different pam module, and it should
all work transparently to the screensaver.

Actually, today someone sent me a question about how to implement a
pam module that would support fingerprint recognition. I'll paste my
reply inline below this message.

> Also, is this program (unix_chkpasswd) GUI based?
No.  It just serves a very tiny purpose. Namely, "Did the person who
is logged in right now, type their password correctly?"

> It cant be right unless it is not using libGtk?
Why not?

> So, how are you passing user's password to it?
The password is passed to pam_unix as part of the pam conversation.
It is then passed from pam_unix to unix_chkpasswd using some sort of
private ipc mechansim.  That's an implementation detail that
gnome-screensaver doesn't have to know about.

> I am little confused on how this program (unix_chkpasswd) gets
> used, i.e. how does input to the program gets sent or is the program
> directly prompting the user based on info required by PAM modules?
gnome-screensaver is just blindly passes information back and forth
from/to the pam stack and the user.  It has very little concept of
what questions are getting asked or what answers are given back in
return.

> Also,  if a particular PAM module asks a user multiple pieces of
> information not just password how are they handled.
The PAM module is free to ask the user as much as it once. It's a
serial challenge/response sort of thing.

The dialog just keeps asking the questions and returning the answers
until pam_authenticate fails or succeeds.

> Also, is it possible
> to get the source code for unix_chkpasswd? Or atleast just the
> pam_conversation() function implementation of it?
Yes, the source code is here:
http://www.kernel.org/pub/linux/libs/pam/pre/library/

download the latest tarball and then look in modules/pam_unix/unix_chkpwd.c

> Jon, is gnome-screensaver using unix_chkpasswd as a helper program to do
> the authentication?
pam_unix uses unix_chkpasswd and gnome-screensaver uses pam (which may
use pam_unix depending on how the pam stack is setup).

--Ray