Annotation of wikisrc/projects/project/user-switching.mdwn, revision 1.1

1.1     ! dholland    1: [[!template id=project
        !             2: 
        !             3: title="User switching with a secure attention key"
        !             4: 
        !             5: contact="""
        !             6: [tech-userlevel](mailto:tech-userlevel@NetBSD.org),
        !             7: [tech-x11](mailto:tech-x11@NetBSD.org),
        !             8: """
        !             9: 
        !            10: category="desktop"
        !            11: difficulty="medium"
        !            12: 
        !            13: description="""
        !            14: In MacOS X, while logged in on the desktop, you can switch to another
        !            15: user (leaving yourself logged in) via a system menu.
        !            16: 
        !            17: The best approximation to this we have right now is to hit ctrl-alt-Fn,
        !            18: switch to a currently unused console, log in, and run startx with an
        !            19: alternate screen number.
        !            20: This has a number of shortcomings, both from the point of view of
        !            21: general polish (logging in on a console and running startx is very
        !            22: untidy, and you have to know how) and of technical underpinnings
        !            23: (starting multiple X servers uses buckets of memory, may cause driver
        !            24: or drmgem issues, acceleration may not work except in the first X
        !            25: server, etc.)
        !            26: 
        !            27: Ideally we'd have a better scheme for this.
        !            28: We don't necessarily need something as slick as OS X provides, and we
        !            29: probably don't care about Apple's compositing effects when switching,
        !            30: but it's useful to be able to switch users as a way of managing least
        !            31: privilege and it would be nice to make it easy to do.
        !            32: 
        !            33: The nature of X servers makes this difficult; for example, it isn't in
        !            34: any way safe to use the same X server for more than one user.
        !            35: It also isn't safe to connect a secure process to a user's X server to
        !            36: display things.
        !            37: 
        !            38: It seems that the way this would have to work is akin to job control:
        !            39: you have a switching supervisor process, which is akin to a shell,
        !            40: that runs as root in order to do authentication and switches (or
        !            41: starts) X servers for one or more users.
        !            42: The X servers would all be attached, I guess, to the same graphics
        !            43: backend device (wsfb, maybe? wsdrmfb?) and be switched in and out of
        !            44: the foreground in much the way console processes get switched in and
        !            45: out of the foreground on a tty.
        !            46: 
        !            47: You have to be able to get back to the switching supervisor from
        !            48: whatever user and X server you're currently running in.
        !            49: This is akin to ^Z to get back to your shell in job control.
        !            50: However, unlike in job control there are security concerns: the key
        !            51: combination has to be something that a malicious application, or even
        !            52: a malicious X server, can't intercept.
        !            53: This is the "secure attention key".
        !            54: Currently even the ctrl-alt-Fn sequences are handled by the X server;
        !            55: supporting this will take quite a bit of hacking.
        !            56: 
        !            57: Note that the secure attention key will also be wanted for other
        !            58: desktop things: any scheme that provides desktop-level access to
        !            59: system configuration needs to be able to authenticate a user as root.
        !            60: The only safe way to do this is to notify the switching supervisor and
        !            61: then have the user invoke the secure attention key; then the user
        !            62: authenticates to the switching supervisor, and that in turn provides
        !            63: some secured channel back to the application.
        !            64: This avoids a bunch of undesirable security plumbing as is currently
        !            65: found in (I think) GNOME; it also avoids the habit GNOME has of
        !            66: popping up unauthenticated security dialogs asking for the root
        !            67: password.
        !            68: 
        !            69: Note that while the switching supervisor could adequately run in text
        !            70: mode, making a nice-looking graphical one won't be difficult.
        !            71: Also that would allow the owner of the machine to configure the
        !            72: appearance (magic words, a custom image, etc.) to make it harder for
        !            73: an attacker to counterfeit the thing.
        !            74: 
        !            75: It is probably not even possible to think about starting this project
        !            76: until DRM/GEM/KMS stuff is more fully deployed, as the entire scheme
        !            77: presupposes being able to switch between X servers without the X
        !            78: servers' help.
        !            79: 
        !            80: """
        !            81: ]]

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb