Kyle McDonald wrote:
> Brian Cameron wrote:
>> Since the lock screen program requires a backend daemon running as
>> root which actually talks to PAM, and since this root daemon should
>> have access to the Xauth keys for each display, it shouldn't be hard
>> to make lockscreen work like this:
>>
>>
> Will the daemon running as root have access to all the xauth keys?
>
> I'm working from memory, but back when I managed a system using NIS+ and
> therefor SecureRPC's for NFS, and the user's homedirs were mounted with
> the -secure option, root couldn't read any of thier files unless they
> were world readable.
>
> Won't that be a problem for this daemon too?
The virtual consoles team have already asked us to have the Xserver make
a well known directory with links to the Xauth data files for each server
running on the system, so that local root processes can use those to get
screen access. While I've not yet decided if this is a good plan or
not (it feels wrong, but that's just a gut feeling, and I can't explain
why), it could be useful in cases like this as well, when you don't want
to just xhost +si:localuser:root and give access to every process running
as root.
--
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
