Re: Questions about PAM, GDM and gnome-screensaver

From: David Zeuthen <david fubar dk>
To: Ted Gould <ted ubuntu com>
Cc: Gary Winiger <gww eng sun com>, Alan Coopersmith <Alan Coopersmith Sun COM>, screensaver-list gnome org, Brian Cameron <Brian Cameron Sun COM>
Subject: Re: Questions about PAM, GDM and gnome-screensaver
Date: Fri, 04 Jan 2008 23:21:42 -0500

On Fri, 2008-01-04 at 19:16 -0800, Ted Gould wrote:
> If the solution uses PolicyKit could Sun provide their own
> Authentication Agent that implements this the same way as today?  It
> would seem that the same requirements would be in place for other
> PolicyKit authentications.

The PolicyKit authentication dialog suffers from exactly the same
problems. There's some suggestions (that I need to reply to, sorry for
the lag Martin) in

 https://bugs.freedesktop.org/show_bug.cgi?id=13742

but I'm pretty sure this won't be solved properly before XACE and
labeled objects in the X server (which requires something akin to
SELinux; whether AppArmor on Linux works, maybe, I haven't checked. On
Solaris I believe RBAC, capabilities or similar is used) is available. 

In the interim one course of action is to move all authentication
dialogs (including those asking for e.g. credentials to connect to a
remote share etc. - e.g. the yet-to-be-written GtkMountOperation dialog
for gvfs would use it too) to the login screen using SAK (just like
Windows does). So the user interaction would be something like

 +----------------------------------------------------------------+
 | You need to authenticate because of XYZ. Press Ctrl+Alt+Delete |
 | to proceed.                                                    |
 +----------------------------------------------------------------+

and then we essentially fast-user-switch to the gdm screen (a sandbox
environment) to do the authentication. Of course with this approach you
have issues with the accessibility stack; not so much bringing it up
(need to do that for accessible login anyway) but to make sure it uses
the same settings as the logged in user. 

Oh, and then there's the detail that f-u-s doesn't work properly on
Linux with the current DRI/DRM stack [1]. So it's not really feasible to
implement this either. 

In conclusion. I don't think properly securing authentication dialogs
are possible to do without teaching the X server about labeling it's
objects; e.g. XACE (I'd loved to be proved wrong though). The good
things, however, is that people are indeed working on XACE; at least the
SELinux bits of it.

      David

[1] : though airlied is working on that
      http://airlied.livejournal.com/55110.html

Follow-Ups:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron

References:
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Ted Gould
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Brian Cameron
- Re: Questions about PAM, GDM and gnome-screensaver
  - From: Ted Gould

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]