[Xlock-develop] [Fwd: Re: [Xlock-discuss] PAM integration]

Dan Lukes dan at obluda.cz
Tue Nov 7 08:34:58 EST 2006 

Yuri Bushmelev napsal/wrote, On 11/07/06 12:59:
>> 	E.g., PAM and not-PAM authentication become two unrelated
>> authentication subsystem which will never act both. 

> Ok, I have new auth framework (draft) instead of one in TODO:
> 
> Xlock will be started setuid root. After start and proper
> initialization we create two pipes (or socketpair, if available) and
> fork a child (auth-backend). Parent (main xlock process) will revoke
> all privileges.

	It seems you are planning "another PAM" which act almost as PAM, but 
has own modules - with legacy PAM as one of them.

	The "minimal privilege concept" is good, but I'm not sure we need the 
separate process and IPC protocol between them really. It seems to be 
over-complicated to me. The careful use of seteuid() can satisfy my 
paranoia.

	Well, complete separation is more secure, so if you can spend the time 
for it, let's go.



> When user attempts to authenticate, main process send AUTH command to
> auth-backend.
> 
> AUTH\r\n<username>|<uid>

UID is not unique identification of user so it can't be used there.

>> 	So, I'm asking again - should I try to make patch ?
> 
> It seems more than just patch. It's like "full rewrite of
> authentication subsystem". So (IMHO) we must decide, what and when we
> should make.

	My original idea is not about so much new code. In the fact, it's 
reordering of existing code and splitting some functions. So I called it 
patch. But it's not important how we call the change as long as we 
understand we speaking about.

> I can write described framework, but not right now. May be at next
> weekend. I can make extended version (auth-daemon) also if needed.
> 
> I have question too.. Such system is not too compex for xlock?

	IMHO, yes, it is.

	But the decision is up to David, as he is project leader and up to you 
as your time will be spent.


> PS. Somebody can count how many errors I make in this letter? :)

	The English is not my native language, so I can't. At least, the word 
order in your last question seems not to be correct for me. The question 
shall start 'Can somebody count ..." IMHO.

	Also, 'make' seems not to be correct, bud I'm not sure about the 
correct variant ('made' ?).

	I think we can understand each other. Ihe standard rule for 
international discussion lists apply.

						Dan

P.S. I sure I will understand even you wrote text it in russian, but I'm 
worry about David ;-)


-- 
Dan Lukes                                   SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz,dan at kolej.mff.cuni.cz

More information about the Xlock-develop mailing list