Annotation of wikisrc/projects/project/user-switching.mdwn, revision 1.1
1.1 ! dholland 1: [[!template id=project
! 3: title="User switching with a secure attention key"
! 5: contact="""
! 6: [tech-userlevel](mailto:tech-userlevel@NetBSD.org),
! 7: [tech-x11](mailto:tech-x11@NetBSD.org),
! 8: """
! 10: category="desktop"
! 11: difficulty="medium"
! 13: description="""
! 14: In MacOS X, while logged in on the desktop, you can switch to another
! 15: user (leaving yourself logged in) via a system menu.
! 17: The best approximation to this we have right now is to hit ctrl-alt-Fn,
! 18: switch to a currently unused console, log in, and run startx with an
! 19: alternate screen number.
! 20: This has a number of shortcomings, both from the point of view of
! 21: general polish (logging in on a console and running startx is very
! 22: untidy, and you have to know how) and of technical underpinnings
! 23: (starting multiple X servers uses buckets of memory, may cause driver
! 24: or drmgem issues, acceleration may not work except in the first X
! 25: server, etc.)
! 27: Ideally we'd have a better scheme for this.
! 28: We don't necessarily need something as slick as OS X provides, and we
! 29: probably don't care about Apple's compositing effects when switching,
! 30: but it's useful to be able to switch users as a way of managing least
! 31: privilege and it would be nice to make it easy to do.
! 33: The nature of X servers makes this difficult; for example, it isn't in
! 34: any way safe to use the same X server for more than one user.
! 35: It also isn't safe to connect a secure process to a user's X server to
! 36: display things.
! 38: It seems that the way this would have to work is akin to job control:
! 39: you have a switching supervisor process, which is akin to a shell,
! 40: that runs as root in order to do authentication and switches (or
! 41: starts) X servers for one or more users.
! 42: The X servers would all be attached, I guess, to the same graphics
! 43: backend device (wsfb, maybe? wsdrmfb?) and be switched in and out of
! 44: the foreground in much the way console processes get switched in and
! 45: out of the foreground on a tty.
! 47: You have to be able to get back to the switching supervisor from
! 48: whatever user and X server you're currently running in.
! 49: This is akin to ^Z to get back to your shell in job control.
! 50: However, unlike in job control there are security concerns: the key
! 51: combination has to be something that a malicious application, or even
! 52: a malicious X server, can't intercept.
! 53: This is the "secure attention key".
! 54: Currently even the ctrl-alt-Fn sequences are handled by the X server;
! 55: supporting this will take quite a bit of hacking.
! 57: Note that the secure attention key will also be wanted for other
! 58: desktop things: any scheme that provides desktop-level access to
! 59: system configuration needs to be able to authenticate a user as root.
! 60: The only safe way to do this is to notify the switching supervisor and
! 61: then have the user invoke the secure attention key; then the user
! 62: authenticates to the switching supervisor, and that in turn provides
! 63: some secured channel back to the application.
! 64: This avoids a bunch of undesirable security plumbing as is currently
! 65: found in (I think) GNOME; it also avoids the habit GNOME has of
! 66: popping up unauthenticated security dialogs asking for the root
! 67: password.
! 69: Note that while the switching supervisor could adequately run in text
! 70: mode, making a nice-looking graphical one won't be difficult.
! 71: Also that would allow the owner of the machine to configure the
! 72: appearance (magic words, a custom image, etc.) to make it harder for
! 73: an attacker to counterfeit the thing.
! 75: It is probably not even possible to think about starting this project
! 76: until DRM/GEM/KMS stuff is more fully deployed, as the entire scheme
! 77: presupposes being able to switch between X servers without the X
! 78: servers' help.
! 80: """
! 81: ]]
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb