> On Thu, Mar 06, 2008 at 11:07:33AM -0800, Gary Winiger wrote:
> > How does it support pam_setcred()?
>
> Screen lock programs typically do not (and IMO never should) start any
> session processes -- typically after authentication and authorization
> they just exit.
That's not all. They audit their invocation, ensure the screen does
not display any user information, ensure the keyboard and pointer
do not communicate with any user processes, authenticate the
locking user (and if the authentication token requires change,
change that token and audit that change), refresh the users
credentials, audit the unlock, release the screen, keyboard and
pointer for user process use. And during the lock they ensure
there is a trusted path to the screen and that any input is
contained within the trusted path.
Gary..
