On Fri, Mar 07, 2008 at 08:00:18AM -0800, Alan Coopersmith wrote: > >>>IPC for what? > >> > >>Communication between the lock screen GUI running as the user, and > > > >The GUI shouldn't be running as the user though. The input and output > >is through the GUI and that means it has to be trusted and is in fact > >part of the Trusted Path. That doesn't mean it needs to run with > >privileges(5) but it shouldn't be running as the user. > > How do we do this when GTK+ can't be run setuid? > http://www.gtk.org/setuid.html
It needs to not be traceable by the user, and the X11 server might want to confirm that the lock process is part of the trusted path. This could mean asserting a privilege, which might require setuid (with very early dropping of all unnecessary privs and restoring euid=user's UID) OR execution via pfexec(1). Running with a single non-basic effective privilege asserted that is meaningful only to the X11 server (and which prevents tracing by the user) should be OK. Though to be a trusted path one might want to also clear/reset the GTK_MODULES environment variable early on in the process' life. Nico --
