Brian Cameron wrote:
>> 1. Lack of Failsafe session.
>>
>> I see this as a major issue. I use the failsafe session more when I'm
>> not on the console than when I am. In particular I often use failsafe
>> when connecting using VNC or a lot when using Sun Ray. A common use case
>> for me is when connecting to the same server that already has another
>> Sun Ray, VNC or console session - because I still don't trust GNOME not
>> to screwup my config with multiple active session against he same home
>> dir.
>
> After reviewing how the new GDM is installed on other distros, we
> noticed that they are shipping a /usr/share/xsessions/xterm.desktop
> which allows users to log into an xterm, rather than the full GNOME
> desktop. So, we have also added this to our GDM builds and I have
> updated the Exported Interface table to include this xterm.desktop
> file. I think this will meet your needs.
Certainly sounds like it will, thanks.
>> 2. Default using face browser
>>
>> What is the definition of a system account ?
>
> I appreciate your concern about how the Face Browser works, since it
> never worked very well with the old GDM, especially in environments
> where NIS/LDAP is used.
>
> However, the new face browser is much more intelligent. It uses the
> following logic to filter out system users:
>
> - Filters out all accounts under 100.
> - Filters out all accounts that do not have a valid shell
What is the definition of a valid shell ?
> - It only adds users that are in /etc/passwd and users that have logged
> in previously. So, no users will be shown who are NIS/LDAP users
> unless they have logged in previously.
So it bypasses nsswitch to lookup users ?
> Note when the Face Browser is shown, you can click on the "Other"
> (meaning "Other User") button and enter the username and password.
> If you enter a username that is not a system user (UID<100), then
> that user will show-up in the face browser in subsequent logins.
> The list of recent users is managed by ConsoleKit and stored in
> the file /var/log/ConsoleKit/history, so there is a unique history
> per-machine.
That seems reasonable, and means that it could actually be useful on
some Sun Ray deployments as well.
How many faces does it attempt to show ? Is there a limit in the
history file at which it chooses to show none ?
>> The reason I ask is because the GNOME users and groups tool gets this
>> wrong on Solaris. It correctly hides by default all those accounts with
>> a uid < 100 but it doesn't hide the other reserved system accounts:
>>
>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>> noaccess:x:60002:60002:No Access User:/:
>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>
> Since these users do not have valid shells specified, these would not
> be shown.
Yes they do they have /bin/sh as their shell because that is what an
empty field means for /etc/passwd.
passwd(4):
login-shell is the user's initial shell program. If this
field is empty, the default shell is
/usr/bin/sh.
Lets not discuss here if that makes sense for those accounts or not though.
>> Does the face browser need to read anything in the users home dir ? If
>> so it must be disabled by default since it can cause a downgrade attack
>> if the users home directory is supposed to be mounted with Kerberos by
>> default (but can fall back to sys). We have gone to great lengths over
>> the years to ensure that no login program ever touches the users home
>> directory until after pam_authenticate() and pam_setcred() have returned
>> PAM_SUCCESS.
>
> Yes, the user's image file is loaded from the user's $HOME directory
> before authentication.
Is there an ability to place these elsewhere ?
> As I explained before, we can disable the Face Browser if we want by
> default. All other distros turn on the Face Browser by default, and
> users disable it when needed. Note that if we choose to turn on the
> Face Browser by default, that the Sun Ray install process would turn
> it off. I think many of the cases where the Face Browser would not be
> desired would be in Sun Ray environments (e.g. Trusted Solaris). So,
> if we choose to turn on the Face Browser by default, many users who do
> not want it (e.g. Sun Ray users) would have it turned off by default.
>
> But, if it is a requirement that Solaris by default does not touch the
> user's $HOME directory before authentication, then the Face Browser
> would need to be turned off by default. Do we want to be different
> than other distros in this regard because of this kerberos requirement?
That is good question.
The security part of me says off.
The on Sun network part of me says off
(NFS kerberos home dir/privacy/Huge Sun Ray deployment)
The "keeping up with the jones" part of me says turn it on
The MacOS X user in me says turn it on.
So that's a 50/50 split vote from me :-)
> Obsolete interface, but I could add a mention in the onepager that
> this has an impact on the SUNWgnome-themes package if you think
> that is interesting.
Not necessary given you've mentioned it in the email thread.
--
Darren J Moffat
