Re: continued discussion on trustworthiness of gnome-screensaver


Please, for the last time - this discussion should take place on the
screensaver list.

On 2/28/07, Mahmood Ali - Sun Microsystems <Mahmood Ali sun com> wrote:

Many thanks for the detailed response to my earlier questions.

Now, how is gs_auth_verify_user() being used. There are two different
implementations of this function in gs-auth-helper.c and gs-auth-pam.c.
It seems gs-auth-pam.c has the implemenation that gets compiled with
gnome-screensaver? Initially i thought the helper program is  invoked by
the gnome-screensaver like it is in gs-auth-helper.c in which case PAM
infrastructure is totally bypassed and gnome-screensaver directly execs
the helper program for authentication. The gs_auth_verify_user() in
gs-auth-pam.c seems to be doing the right thing when it gathers the
response from a user and passes it to PAM modules through
pam_conversation() function. Basically, gnome-screensaver is not
directly calling the helper program (if it is using PAM for
authentication), right?

There are different authentication backends.  You get to choose one by
using the configuration option:
 --enable-authentication-scheme=auto/pam/helper/pwent  Choose a specific
                         authentication scheme default=auto

The default is PAM if it is available.  Read for details
on how this works.

So, from your earlier emails, in gnome-screensaver authentication
happens by calling pam_authenticate() which calls the pam_conversation()
function which takes the string passed from PAM module and displays it
in a GUI and if a response is needed gets that response from the user
and passes it back to PAM module, right?


A particular PAM module suppose it is pam_unix would itself use the
service of a helper setuid program that would authenticate the user. And
all other PAM modules that need root privileges pam_kerberos,
pam_smartcard, etc etc should be modified/altered to use setuid helper
programs if they need root privileges for authentication work, right?

My view, which is not necessarily the view of the PAM maintainers, is
that a PAM module should handle all of the implementation details and
not require the entire program and PAM stack to run as root.

Also, does gnome-screensaver have any auditing code? Does it need any
privileges for auditing? If suppose we outsource the auditing code from
applications to the same helper setuid programs how would they
distinguish for which application should they write the audit record for
(gnome-screensaver, gdm etc)? Perhaps, pass the application name as a
parameter along with username/password info?

No, it doesn't have any auditing code at the moment.  Honestly, you
should be able to answer this question for yourself by looking at the
source code.

It seems more and more like the real issue is the PAM modules themselves
need to tackle their requirements of accessing information that needs
root privileges.

Yes they should use the least set of privileges necessary to complete the job.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]