Re: [gdm-list] Screensaver Solution Discussion
- From: Bob Doolittle <Robert Doolittle Sun COM>
- To: Jeff Cai <Jeff Cai Sun COM>
- Cc: GNOME Accessibility <gnome-accessibility-list gnome org>, gdm-list gnome org, screensaver-list gnome org
- Subject: Re: [gdm-list] Screensaver Solution Discussion
- Date: Thu, 21 Jan 2010 14:16:46 -0500
I'm sorry but I made some cut/paste error. You need to call
pam_authenticate() immediately after step 2. You certainly aren't going
to have gdm's pam_conf() function invoked until you do :)
I remember writing that, but obviously managed to fat-finger it away
before sending this out. :-\
Sorry about that,
Bob
Bob Doolittle wrote:
I've annotated your steps below with more specific PAM invocations:
Jeff Cai wrote:
I summarized the steps about how screensaver works. Because a user
can disable VT, also because VT has not been supported on some
platforms yet, for example SUN Sparc,
we will handle both situations separately.
1. After the user logs in, the user's gnome-screensaver (user
session) process will
start.
pam_start() should be called
2. When gnome-session tells that the session is idle,
gnome-screensaver
will start a full-screen window and grab the keyboard and the pointer,
that is to say, the user's session is locked.
gnome-screensaver tells GDM that the user's session is locked. GDM
will start initializing PAM and creates the unlock dialog if VT is
enabled.
Potentially gnome-screensaver's pam_conv() function may be called.
Your steps below assume that it is.
Don't forget however that the pam_conv() function may never be called
if a PAM module marked as "sufficient" on the auth stack returns
PAM_SUCCESS before any later PAM module invokes the conversation
function. This could happen for any sort of device that does external
authentication independent of the conversation function, such as a
smartcard reader that has a built-in PIN pad which doesn't require any
X-based dialog/interaction, for instance. In such a case none of the
below steps would occur (no unlock dialog ever displayed, no waiting
for user mouse/kb event).
It's crucial in this model that no local X server grab affect the
ability for gnome-screensaver to interact with another VT. I imagine
there's no issue here but I raise this point just in case. If there is
a grab in effect by some other application (e.g. firefox has a menu
pulled down) and gnome-screensaver performs any sort of X operation on
the local display that thread will *block*. This is the sort of
vulnerability we are trying to resolve by utilizing a different VT for
authentication.
I'm not going into the details about calls to pam_setcred (REFRESH),
pam_acct_mgmt, and pam_open_session (this last call may not be
required for gnome-screensaver, although perhaps when it interacts
with a new VT it is? You'd need to check with a better PAM expert than
I on this).
-Bob
3. If the user moves the mouse or hit the keyboard
3a. If VT is enabled, gnome-screensaver will ask GDM to show the
unlock
dialog on another DISPLAY, and ask VT manager to switch to that
DISPLAY. Then the user inputs the correct password, GDM tells
gnome-screensaver to
destroy the window and release the keyboard and the mouse. Do the VT
switching
to the user's DISPLAY.
3b. If VT is not enabled, gnome-screensaver will show the unlock
dialog, interacting with GDM on PAM authentication. If the user input
the
correct password, gnome-screensaver will destroy the lock window and
release the keyboard and the mouse.
For 3a, since a new GDM session is created, and GDM has already
supported the accessibility, we don't need more work to do.
But for 3b, we need consider to support the accessibility for the
unlock dialog. Here I CCed a11y list in order to hear their opinions.
Can I start a new at-spi-registryd for the unlock dialog? This daemon
runs on a new DBUS session daemon listening on a new DBUS address.
The unlock process and ATs will communicate with this session daemon,
which will not affect the old daemon.
Jeff
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]