Re: Questions about PAM, GDM and gnome-screensaver
- From: David Zeuthen <david fubar dk>
- To: Brian Cameron <Brian Cameron Sun COM>
- Cc: Alan Coopersmith <Alan Coopersmith Sun COM>, screensaver-list gnome org, Gary Winiger <gww eng sun com>
- Subject: Re: Questions about PAM, GDM and gnome-screensaver
- Date: Mon, 07 Jan 2008 17:48:05 -0500
On Mon, 2008-01-07 at 15:30 -0600, Brian Cameron wrote:
> The problem with fast-user-switching is that it only works in
> environments that support VT. It wouldn't work, for example, in an
> XDMCP remote session, or other sessions that aren't associated
> directly with the console.
Let's not rule out that the software on such clients (e.g. thin clients
a'la Sun Ray) can be changed; IOW let's not let constrain ourselves from
the get-go.
> > In conclusion. I don't think properly securing authentication dialogs
> > are possible to do without teaching the X server about labeling it's
> > objects; e.g. XACE (I'd loved to be proved wrong though). The good
> > things, however, is that people are indeed working on XACE; at least the
> > SELinux bits of it.
>
> You don't think the X Security extension by itself is a possible
> solution? I don't understand. Perhaps you could explain why a bit
> more?
Because there's a bunch of other attack vectors (for example
GTK_MODULES, accessibility, X settings, ptrace). So the only thing you'd
be adding would be to add a "little extra" security. And that's not
really useful.. in a way it's actually harmful insofar that it would
create a false sense of security (it's what some people call snakeoil)
and it would most probably delay the real solution.
David
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
