Re: Questions about PAM, GDM and gnome-screensaver

On Fri, 2008-01-04 at 14:59 -0600, Brian Cameron wrote:
> 1) Since the lockscreen runs in the user's Xserver, there are
>     ways to snoop or corrupt the password via X interfaces.  There
>     doesn't seem to be an easy answer for fixing this.  Making
>     the Xserver GrabServer has been mentioned, but isn't a great
>     solution.

Yeah, so it seems the only way to get around this is the use the
Security extension.  I wasn't sure from the other e-mails, what does Sun
do to solve this problem today?  Would not being able to block this
attack be a regression?

If the solution uses PolicyKit could Sun provide their own
Authentication Agent that implements this the same way as today?  It
would seem that the same requirements would be in place for other
PolicyKit authentications.

> 2) If PAM isn't run as the user, then PAM won't refresh credentials
>     that are in userspace (e.g. a Kerberos credential in
>     gnome-keymanager).  On Solaris, where we don't run PAM as the
>     user anyway, this proposal doesn't break things any worse than
>     it currently is.

It seems like this is also solved by the authentication agent.  Since it
exists in userspace, it is the one who would query gnome-keymanager or
other source to get the authentication.

> 3) There are probably situations where the existing behavior of
>     running PAM as the user is desirable (perhaps on Linux), so
>     it is probably desirable for it to be possible to configure
>     which user actually interacts with PAM.  On Solaris this should
>     probably be a user with enough privilege to interact with PAM
>     (and not the actual user locking the screen).  On Linux it is
>     probably okay to run as the user locking the screen.
> 4) This discussion may just be theoretical since I don't get the
>     impression that all the parties involved really agree how this
>     should be done.  Though, the more we discuss, the more likely
>     we will converge on some clever idea perhaps.

While I'm not a GNOME Screensaver maintainer I would say that I haven't
seen a "No we hate you" on the list, more of a "I'm not sure this design
will work out for what you need."  I would like to see more discussion.
From the Ubuntu perspective I forwarded a few representative e-mails
from this thread to one of our security folks, he seemed to think that
while not required, the idea of moving the screensaver under GDM was a
good one.

There are a few services that seem to be lacking in GDM in general.  It
would make sense that he login prompt would have a reasonable
screensaver and power management.  But, in general I think that this
discussion doesn't cover those.

The two things that I'm concerned about are usability and accessibility.
Once the password dialog is removed from the user's settings I'm not
sure how you maintain their theme (perhaps color blind issues) or their
external hardware (screen reader, etc.).  How does the Sun locking
dialog work today with those features?  I imagine they are requirements
for many of the gov't contracts Sun has.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]