Re: Questions about PAM, GDM and gnome-screensaver

On Mon, 2008-01-07 at 15:30 -0600, Brian Cameron wrote:
> The problem with fast-user-switching is that it only works in
> environments that support VT.  It wouldn't work, for example, in an
> XDMCP remote session, or other sessions that aren't associated
> directly with the console.

Let's not rule out that the software on such clients (e.g. thin clients
a'la Sun Ray) can be changed; IOW let's not let constrain ourselves from
the get-go.

> > In conclusion. I don't think properly securing authentication dialogs
> > are possible to do without teaching the X server about labeling it's
> > objects; e.g. XACE (I'd loved to be proved wrong though). The good
> > things, however, is that people are indeed working on XACE; at least the
> > SELinux bits of it.
> You don't think the X Security extension by itself is a possible
> solution?  I don't understand.  Perhaps you could explain why a bit
> more?

Because there's a bunch of other attack vectors (for example
GTK_MODULES, accessibility, X settings, ptrace). So the only thing you'd
be adding would be to add a "little extra" security. And that's not
really useful.. in a way it's actually harmful insofar that it would
create a false sense of security (it's what some people call snakeoil)
and it would most probably delay the real solution.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]