Re: Questions about PAM, GDM and gnome-screensaver

["Ray Strode" <halfline gmail com>]

Hi,

On Nov 1, 2007 4:06 PM, Brian Cameron <Brian Cameron sun com> wrote:
> I understand.  I was just trying to get a feeling if there is any plan
> to make the two programs share a common PAM interface.  While the two
> programs are doing different things, it might still be possible to
> take care of PAM in one place.  But, perhaps it doesn't make sense.  I
> was just asking.
Not sure.  I guess when we look into Jon's display factory idea, we
can figure out where the break up would be.

> In the past Gary has explained to me that the Linux PAM model does not
> make sense on Solaris.  I suspect this might have to do with the fact
> that Solaris supports things like Trusted Solaris, which has more strict
> rules about how privilege is managed.  I am hoping Gary can explain a
> bit more in detail and help answer your questions.
That'd be great.

> > For user session unlock, the default shouldn't be "run all pam modules
> > as root".  What I mean is, if a pam module needs root privileges to
> > look at /etc/shadow to confirm a password hash matches, that doesn't
> > mean the entire pam module should run as root!  It should only run as
> > root long enough to open /etc/shadow.  Furthermore, pam modules that
> > don't need root shouldn't get root.
>
> When using Solaris, these things should probably be managed by following
> least privilege.
Right that makes sense.

> Obviously we don't have SELinux on Solaris.  Instead we use least
> privilege and RBAC.
Right, i just meant that kind of thing.

> I don't think setuid/setgid is the best approach for granting privilege
> when using RBAC and the least privilege model.  I know that Sun makes
> a lot of effort to avoid setuid/setgid scripts because this shouldn't
> be so necessary when using roles and least privilege properly.
This is part I don't understand.  Isn't the initial mail about getting
gnome-screensaver to run setuid root?

I guess my main point is we should try to limit the scope of
root-running code in the session to be as small as possible.

I think we're debating over two possibilities (but tell me if I'm wrong):

1) run gnome-screensaver setuid root and implicitly trust all pam
modules the user uses to drop the privileges they don't need, and have
a policy tailored for them to give them least privileges and the right
roles
2) for pam modules that require root privileges, have them explicitly
run a helper app that is setuid root and trust that helper to drop
privileges it doesn't need.

am I right?

> Is this always true, or just true with some PAM kerberos
> implementations?  I know Sun has kerberos modules.  While I haven't
> personally used them, and cannot vouch that they work; I haven't
> heard about such problems using kerberos PAM modules on Solaris.
> I'm guessing PAM is just managed differently on Solaris than on Linux.
> Perhaps Gary can clarify?
kerberos was just an example.  pam has an api, pam_setcred that lets
you "refresh credentials" that you can run if you've verified the
person who logged in is still at the computer.  It's optional by
design I guess, because in theory a user could choose to  never lock
(and subsequently unlock) their screen.

> At any rate, if a user or distro wants to run the entire PAM stack as
> a user or role with privilege, it seems that it would be nice if
> gnome-screensaver allowed you to configure itself to work this way.
isn't the point of least privileges to only run with minimal
privileges?  If you're running the entire stack with one role and one
set of privileges then you're running code with higher privileges than
you need to (since not all pam modules require the same set of
privileges).   You want to run every module with the privileges that
any module could ever need?  So pam_ldap has privileges to read
/etc/shadow?  pam_motd has the same privileges as pam_mkhomedir?

> I will take up this issue again with our PAM team and see if they might
> be more open to the idea of allowing PAM to authenticate users without
> needing to run PAM with privilege.  In the past, they have said this is
> a bad idea for the Solaris model.  I will need to discuss further with
> them to get the specific reasons, or perhaps Gary can chime in.
Gary, it'd be great if you could share your thoughts and a rationale
for wanting the change.

> If we can document the specific reasons why we need PAM to run with
> privilege (as a user/role with more privilege than the user), and if
> these reasons are valid in a Solaris context, then would the
> gnome-screensaver project be willing to entertain a patch that would
> allow us to build gnome-screensaver this way?
That's Jon's call, so I don't know.

> I'm not suggesting we should change how things work on Linux, I'm
> just trying to see if gnome-screensaver can be configured to work on
> Solaris.  I think people here at Sun would be happy to provide
> patches for review if the gnome-screensaver project agrees that this
> is worth the time.
>
> Right now, we are using a hacked xscreensaver to meet our lock screen
> needs on Solaris.  Within the Sun GNOME team, we would like to better
> follow the GNOME community and use gnome-screensaver instead if we can
> work together.
I guess if you're already patching your screensaver, you might be able
to drop privileges around the gtk_init call and restore from the saved
user id.
Or set your role at the top of the file then setuid(getuid()) before gtk_init.
I wouldn't recommend doing either of those though.

--Ray