Re: Jon - question about GDM and gnome-screensaver

["Ray Strode" <halfline gmail com>]

Hi Brian,

> The main difference in how GDM and
> gnome-screensaver interact with PAM is mainly with auditing.

So gnome-screensaver and GDM conceptually do different things with PAM
(even if a lot of the code is similiar looking).

GDM has to do 3 separate things:

1) find out who's trying to login (which usually means asking them,
and then making them prove it).
2) find out if the person who's trying to login is authorized to do so.
3) log the user in

gnome-screensaver has to do something entirely different and
conceptually a lot simpler:

1) make the person trying to unlock the screen prove that they are the
person who logged in initially.
2) refresh any credentials that timeout

> So, I don't think the desire to support interacting with PAM modules as
> root (or with privilege) is really a Sun-specific thing.
It's not a Sun specific thing.  It comes up quite frequently in fact.

There are lots and lots of pam modules out there.  Quite frequently, a
pam module needs to do something that requires special privileges
(open /etc/shadow, or read a fingerprint scanner, or whatever).
That's okay and expected, but code that requires special privileges
needs to be smart about how it uses those privileges.  Privileges come
with responsibility.  We don't want to run a bunch of code in the
user's session as root.  It's not smart.  It's not secure.  We need to
minimize the code that's run as root, and more generally only give
privileges where needed.

For user session unlock, the default shouldn't be "run all pam modules
as root".  What I mean is, if a pam module needs root privileges to
look at /etc/shadow to confirm a password hash matches, that doesn't
mean the entire pam module should run as root!  It should only run as
root long enough to open /etc/shadow.  Furthermore, pam modules that
don't need root shouldn't get root.

 And like I said before, there are lots and lots of pam modules.
gnome-screensaver has no idea what modules its running when it
initiates a pam conversation.  It can't know which modules it's
running will need root, which ones will need acl access to some device
file, and which ones just need access to the network, or the users
session.

Only the individual modules know that.  It's each modules own job to
figure out what things it needs access to, and its each modules own
job to gain that access on its own.  If a pam module needs to access
something as root, it should have a carefully written, small setuid
helper program that opens the resource and drops privileges.  Also, if
you've got something like SELinux, then you should be able to label
the helper to only get access to the resources its supposed to get
access to.  Also the helper should be very restrictive about what it
checks.  If the real uid it's running as is user foo's, then it should
only check secrets that belong to user foo.

Running the entire pam conversation as root is just not responsible or secure.

Any pam module that expects to be run as root is either not designed
to work from within a users session (i.e. is designed for login
programs, but not unlock programs) or is broken.

> In short, I think if we want to make gnome-screensaver work on Solaris
> we probably should start by making it possible for it to work with
> the PAM interaction handled by a separate root-owned daemon and to
> add SunAudit logic.  Does this seem reasonable?
The PAM interaction needs to run within the session, because things
like keberos tickets get renewed when the user unlocks the
screensaver.

--Ray