On Mon, Aug 17, 2009 at 08:20:14PM -0500, Brian Cameron wrote:
> - Several people (Joerg Barfurth, Darren Moffat, Nicolas Williams) have
> highlighted that GDM should not touch the user's $HOME directory
> before the user authenticates. Currently GDM accesses the user's
> face image ($HOME/.face) and the user's session/language defaults
> ($HOME/.dmrc) before pam_setcred. Touching the user's $HOME
> directory before pam_setcred causes problems for kerberos, for
> example.
>
> Proposed solution:
>
> - The SUNWgnome-display-mgr-root package would install a directory
> /var/cache/gdm.
What will be the permissions on this and the files in it?
> [...]
Looks good to me.
> - Darren Moffat and Nicolas Williams say that the Face Browser should
> not use any heuristics to determine if users should be displayed in
> the Face Browser or not. For example, GDM should not assume that
> only users in /etc/passwd with a valid shell should be included.
> Darren Moffat further suggests that users must opt-in to be visible
> in the Face Browser. Otherwise Darren feels there is a privacy issue.
>
> Proposed solution:
>
> This issue is partly solved by addressing the issue above, where
> we move the user's face image to /var/cache/gdm. In addition to that
> solution, one of the two following approaches could be used to
> address these concerns:
I'd even say that /var/cache/gdm is sufficient because the installer can
touch(1) the initial user's cached and $HOME/.face files, and so can the
Users and Groups and useradd(1M) utilities. That means that local users
will appear in the face browser, but with no local user heuristics.
Opt-in can be a checkbox in the installer, Users and Groups, and
useradd(1M) utilities. But that's probably not necessary: just opt-in
all such users in the installer/useradd tools (no checkbox, just do it).
If users/admins don't like that they can disable the face browser
altogether.
> 1) Only display users in the Face Browser which have an image file
> specified. Though users with a UID < 100 would be filtered out
> even if somebody put an image file in the cache.
How would you determine (1) without looing in $HOME?
If root is not a role, then why not put root in the face browser?
> 2) When users first login, create an empty file in
> /var/cache/gdm/user-$uid/face, which would indicate to the Face
> Browser to display any user who has logged in on this machine.
> Again, aside from system users who have a UID < 100.
My comments to (1) apply here too. But also, one way to opt-out might
be to rm $HOME/.face, yet (2) would seemingly not allow that (since it
seems to clash with the idea that /var/cache/gdm/user-$uid/face is
updated at logout time to be a copy of $HOME/.face).
> - There are many concerns about the Face Browser and whether it should
> be turned on by default.
>
> - Glenn Faden suggested it not be the default because it is a
> potential security vulnerability to expose usernames before
> authentication.
>
> Proposed Solution:
>
> Turn off the Face Browser by default. This will make OpenSolaris
> different than everybody else, but our users love us because we are
> such curmudgeons about these things, I guess.
IMO:
This is an issue, but it's an installer issue, not really a GDM
issue. AI should almost certainly disable it by default, while the
OpenSolaris installer should probably enable it by default. To
force the matter GDM could have this feature disabled by default (a
"safe" default), such that the OpenSolaris installer project team
would have to do the enabling.
Nico
--
