On Fri, 2008-01-04 at 14:59 -0600, Brian Cameron wrote: > 1) Since the lockscreen runs in the user's Xserver, there are > ways to snoop or corrupt the password via X interfaces. There > doesn't seem to be an easy answer for fixing this. Making > the Xserver GrabServer has been mentioned, but isn't a great > solution. Yeah, so it seems the only way to get around this is the use the Security extension. I wasn't sure from the other e-mails, what does Sun do to solve this problem today? Would not being able to block this attack be a regression? If the solution uses PolicyKit could Sun provide their own Authentication Agent that implements this the same way as today? It would seem that the same requirements would be in place for other PolicyKit authentications. > 2) If PAM isn't run as the user, then PAM won't refresh credentials > that are in userspace (e.g. a Kerberos credential in > gnome-keymanager). On Solaris, where we don't run PAM as the > user anyway, this proposal doesn't break things any worse than > it currently is. It seems like this is also solved by the authentication agent. Since it exists in userspace, it is the one who would query gnome-keymanager or other source to get the authentication. http://hal.freedesktop.org/docs/PolicyKit/model-theory-of-operation.html > 3) There are probably situations where the existing behavior of > running PAM as the user is desirable (perhaps on Linux), so > it is probably desirable for it to be possible to configure > which user actually interacts with PAM. On Solaris this should > probably be a user with enough privilege to interact with PAM > (and not the actual user locking the screen). On Linux it is > probably okay to run as the user locking the screen. > > 4) This discussion may just be theoretical since I don't get the > impression that all the parties involved really agree how this > should be done. Though, the more we discuss, the more likely > we will converge on some clever idea perhaps. While I'm not a GNOME Screensaver maintainer I would say that I haven't seen a "No we hate you" on the list, more of a "I'm not sure this design will work out for what you need." I would like to see more discussion. From the Ubuntu perspective I forwarded a few representative e-mails from this thread to one of our security folks, he seemed to think that while not required, the idea of moving the screensaver under GDM was a good one. There are a few services that seem to be lacking in GDM in general. It would make sense that he login prompt would have a reasonable screensaver and power management. But, in general I think that this discussion doesn't cover those. The two things that I'm concerned about are usability and accessibility. Once the password dialog is removed from the user's settings I'm not sure how you maintain their theme (perhaps color blind issues) or their external hardware (screen reader, etc.). How does the Sun locking dialog work today with those features? I imagine they are requirements for many of the gov't contracts Sun has. --Ted
Attachment:
signature.asc
Description: This is a digitally signed message part