xfdm

[Kok, Auke]

Tim Tassonis wrote:
> Hi
> 
> polytan wrote:
>> Hi,
>>
>> What are the security issues with a simple local login manager using 
>> xfce libraries just to start X in the tty used (like qingy in fact, but 
>> without framebuffer and directfb) ?
> 
> As far as I see it:
> 
> A login manager naturally is a setuid root program, it runs under root 
> and can be called by anybody. That is a security implication by itself...

that should not be the case... a login manager should run *as* root but 
certainly not be setuid root.

> GTK explicitly discourages using their libraries under root. In order to 
> work around this, you need two separate processes, an unprivileged one 
> to receive the input and a another one checking userid/password and 
> switching user and stuff.

IOW write a split up model: a root daemon that launches the GUI login screen and 
a privilidged root process that holds and restarts the X server (X should of 
course be run as root).

> So, you need a secure communication method between the gtk login screen 
> and the privileged helper program that nobody can intercept, as 
> credential must be passed.
> 
> It's certainly doable, but not too many people regard it as a welcome 
> waste of time to implement such a thing and take the blame for any 
> security issues. Cause if the login manager can be broken, you're fucked 
> big time.

as long as the GUI part runs as user nobody and drops all privs you're fine... 
the only real risk is how to pass the login info to the privilidged daemon in 
such a way that it doesn't open more holes, but that should be trivial...

Auke