Annotation of wikisrc/projects/project/user-switching.mdwn, revision 1.2

1.1       dholland    1: [[!template id=project
                      3: title="User switching with a secure attention key"
                      5: contact="""
                      6: [tech-userlevel](,
                      7: [tech-x11](,
                      8: """
                     10: category="desktop"
1.2     ! dholland   11: difficulty="hard"
1.1       dholland   12: 
                     13: description="""
                     14: In MacOS X, while logged in on the desktop, you can switch to another
                     15: user (leaving yourself logged in) via a system menu.
                     17: The best approximation to this we have right now is to hit ctrl-alt-Fn,
                     18: switch to a currently unused console, log in, and run startx with an
                     19: alternate screen number.
                     20: This has a number of shortcomings, both from the point of view of
                     21: general polish (logging in on a console and running startx is very
                     22: untidy, and you have to know how) and of technical underpinnings
                     23: (starting multiple X servers uses buckets of memory, may cause driver
                     24: or drmgem issues, acceleration may not work except in the first X
                     25: server, etc.)
                     27: Ideally we'd have a better scheme for this.
                     28: We don't necessarily need something as slick as OS X provides, and we
                     29: probably don't care about Apple's compositing effects when switching,
                     30: but it's useful to be able to switch users as a way of managing least
                     31: privilege and it would be nice to make it easy to do.
                     33: The nature of X servers makes this difficult; for example, it isn't in
                     34: any way safe to use the same X server for more than one user.
                     35: It also isn't safe to connect a secure process to a user's X server to
                     36: display things.
                     38: It seems that the way this would have to work is akin to job control:
                     39: you have a switching supervisor process, which is akin to a shell,
                     40: that runs as root in order to do authentication and switches (or
                     41: starts) X servers for one or more users.
                     42: The X servers would all be attached, I guess, to the same graphics
                     43: backend device (wsfb, maybe? wsdrmfb?) and be switched in and out of
                     44: the foreground in much the way console processes get switched in and
                     45: out of the foreground on a tty.
                     47: You have to be able to get back to the switching supervisor from
                     48: whatever user and X server you're currently running in.
                     49: This is akin to ^Z to get back to your shell in job control.
                     50: However, unlike in job control there are security concerns: the key
                     51: combination has to be something that a malicious application, or even
                     52: a malicious X server, can't intercept.
                     53: This is the "secure attention key".
                     54: Currently even the ctrl-alt-Fn sequences are handled by the X server;
                     55: supporting this will take quite a bit of hacking.
                     57: Note that the secure attention key will also be wanted for other
                     58: desktop things: any scheme that provides desktop-level access to
                     59: system configuration needs to be able to authenticate a user as root.
                     60: The only safe way to do this is to notify the switching supervisor and
                     61: then have the user invoke the secure attention key; then the user
                     62: authenticates to the switching supervisor, and that in turn provides
                     63: some secured channel back to the application.
                     64: This avoids a bunch of undesirable security plumbing as is currently
                     65: found in (I think) GNOME; it also avoids the habit GNOME has of
                     66: popping up unauthenticated security dialogs asking for the root
                     67: password.
                     69: Note that while the switching supervisor could adequately run in text
                     70: mode, making a nice-looking graphical one won't be difficult.
                     71: Also that would allow the owner of the machine to configure the
                     72: appearance (magic words, a custom image, etc.) to make it harder for
                     73: an attacker to counterfeit the thing.
                     75: It is probably not even possible to think about starting this project
                     76: until DRM/GEM/KMS stuff is more fully deployed, as the entire scheme
                     77: presupposes being able to switch between X servers without the X
                     78: servers' help.
                     80: """
                     81: ]]

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb