William Young wrote: > Darren J Moffat wrote: >> William Young wrote: >> >>> Multiple X servers and a gui switch event is an interesting problem. >>> It will be necessary to disable the possibility of any single label X >>> sessions or one can visually emulate the switcher with trusted path. >>> I don't think that is a concern right now, but should be a noted >>> requirement if a secure X switcher is mentioned. >> >> >> I think that concern is there regardless of a GUI for doing the >> switching. If a keyboard (or any other method, eg programatic) >> switching is possible that can be used to spoof as well (and in fact >> is probably even more risky in some cases). > The write up included disabling keyboard methods and multiple VTs > generally but mentioned the possibility of a secure gui switcher to have > multiple graphics/X VTs only. This could be done securely, but only if > all available graphic sessions are trusted (so the gui can have trusted > path and there is no means to falsely create the appearance of trusted > path.) > Keyboard mechanisms could be acceptable but keyboard events would > have to be going to a VT manager for initial processing and in TX's case > I think we would require a part of VT management to handle session > locking etc. The VT management would also need to do something visual > and non-forgeable to indicate when the sequences were hit to prevent > simple physical attacks (i.e. physically damaging a key in the sequence > and then emulating the VT change.)
Which says to me that what Solaris really needs here is a Trusted Path that is graphical and available via a secure attention key sequence that is implemented in the kernel and not as part of the desktop environment/ Xserver like it is today (and always was in Trusted Solaris and SunOS CMW). That however is out of scope for this project team but I believe they aren't doing anything that our impact us doing a kernel based trusted path in the future. >> I think though you have pointed out the best behaviour from the TX >> view which is that if the system is labeled the vt's are not enabled - >> or at least they can't be allowed to enter a graphics mode. IIRC in >> previous Trusted Solaris releases we actually disabled the dtlogin >> "Command Line Login" option but we don't in TX (which I'm okay with). >> > Yes, I think there may be a race condition that allows X/cdelogin to > start when there is an active command line session which should be > fixed. Being able to do either-or seems fine to me as well. The fix IMO is the replacement of dtlogin with gdm which doesn't have this issue best I can tell. -- Darren J Moffat
