Re: gdm: shadow unfriendly



Alan Cox wrote:
> 
> > > > read nobodyuser=root, as only root can access the /etc/shadow file, even
> > > > via pam.
> > >
> > > I dont think we can fix this unless we make gdm suid root, or make gdm
> > > run as root always.
> >
> > What about using pam?
> 
> Or running the gdm daemon as root and front ends as nobody

We should probably suspend this discussion until the newer gdm is posted
to the cvs server. If I remember correctly, the maintainer stated that
he had a newer version.

For the record, though, the current gdm does run as root, and wouldn't
need to be suid, since it runs from init.  Gdmgreeter was set to run as
nobody, but was also doing the password checking. 

That was the problem, the "nobody" frontend can't be doing the password
checking.  Not only would it be unable to check the shadow passwords,
but it would probably be considered a major security hole for gdm, a
root process, to depend on a non-root process for password
authentication. To obtain the passwords, maybe, but I'm still a little
concerned about he security implications of that. 

What if a new exploit is discovered that allows a remote user to obtain
"nobody" access to your machine, via Apache, or Sendmail?  Could they
then get a process in memory that attacks the gdmgreeter, also running
as nobody, to sniff login/passwords? Any process that even handles
passwords, must be paranoid.

Dave



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]