File:  [NetBSD Developer Wiki] / wikisrc / projects / project / user-switching.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Mon Feb 16 07:49:46 2015 UTC (7 years, 9 months ago) by dholland
Branches: MAIN
CVS tags: HEAD
who am I kidding; this project is hard. in fact, more like "impossible"

[[!template id=project

title="User switching with a secure attention key"



In MacOS X, while logged in on the desktop, you can switch to another
user (leaving yourself logged in) via a system menu.

The best approximation to this we have right now is to hit ctrl-alt-Fn,
switch to a currently unused console, log in, and run startx with an
alternate screen number.
This has a number of shortcomings, both from the point of view of
general polish (logging in on a console and running startx is very
untidy, and you have to know how) and of technical underpinnings
(starting multiple X servers uses buckets of memory, may cause driver
or drmgem issues, acceleration may not work except in the first X
server, etc.)

Ideally we'd have a better scheme for this.
We don't necessarily need something as slick as OS X provides, and we
probably don't care about Apple's compositing effects when switching,
but it's useful to be able to switch users as a way of managing least
privilege and it would be nice to make it easy to do.

The nature of X servers makes this difficult; for example, it isn't in
any way safe to use the same X server for more than one user.
It also isn't safe to connect a secure process to a user's X server to
display things.

It seems that the way this would have to work is akin to job control:
you have a switching supervisor process, which is akin to a shell,
that runs as root in order to do authentication and switches (or
starts) X servers for one or more users.
The X servers would all be attached, I guess, to the same graphics
backend device (wsfb, maybe? wsdrmfb?) and be switched in and out of
the foreground in much the way console processes get switched in and
out of the foreground on a tty.

You have to be able to get back to the switching supervisor from
whatever user and X server you're currently running in.
This is akin to ^Z to get back to your shell in job control.
However, unlike in job control there are security concerns: the key
combination has to be something that a malicious application, or even
a malicious X server, can't intercept.
This is the "secure attention key".
Currently even the ctrl-alt-Fn sequences are handled by the X server;
supporting this will take quite a bit of hacking.

Note that the secure attention key will also be wanted for other
desktop things: any scheme that provides desktop-level access to
system configuration needs to be able to authenticate a user as root.
The only safe way to do this is to notify the switching supervisor and
then have the user invoke the secure attention key; then the user
authenticates to the switching supervisor, and that in turn provides
some secured channel back to the application.
This avoids a bunch of undesirable security plumbing as is currently
found in (I think) GNOME; it also avoids the habit GNOME has of
popping up unauthenticated security dialogs asking for the root

Note that while the switching supervisor could adequately run in text
mode, making a nice-looking graphical one won't be difficult.
Also that would allow the owner of the machine to configure the
appearance (magic words, a custom image, etc.) to make it harder for
an attacker to counterfeit the thing.

It is probably not even possible to think about starting this project
until DRM/GEM/KMS stuff is more fully deployed, as the entire scheme
presupposes being able to switch between X servers without the X
servers' help.


CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb