[OpenAFS] Ubuntu 10.04 Login Issues

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 22 Dec 2010 14:54:21 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1FB4D96F8DC0F2AF6C87B26D
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/22/2010 2:35 PM, Thomas M. Payerle wrote:
> On Wed, 22 Dec 2010, Thomas Calderon wrote:
>=20
> We encountered the same issue when rolling out an updated desktop
> environment using Gnome.
>=20
> gnome-screensaver, for various security reasons, takes a multiprocess
> approach.  The main locking process detects mouse/keyboard activity, an=
d
> then runs another process to handle the dialog (this allows the dialog
> process
> to safely use higher level desktop widgets, themes, etc.  If it crashes=
,
> the
> screen remains locked, which is the secure alternative.)
>=20
> The issue occurs if home directories are in AFS, and the AFS tokens exp=
ire
> between the locking of the screen and when attempt to unlock it.  The
> dialog
> process then tries to open a window on the display to prompt for the
> password,
> but cannot access ~/.Xauthority as it is in the AFS located home direct=
ory
> and does not have valid AFS tokens.
>=20
> I do not see any good ways to get around this.  Allowing something w/ou=
t
> user's tokens read access to ~/.Xauthority seems rather questionable,
> plus awkward as needs some access to ~ as well. =20

Perhaps at logon the machine is added as an IP ACL to the requisite
directory using the user's acquired token and then removing the ACL at
logout.  (or something along that line of thought....)

Jeffrey Altman


--------------enig1FB4D96F8DC0F2AF6C87B26D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNElduAAoJENxm1CNJffh4cAsIAI4+FsRVDpqOyOda6NqbrZjf
JPj6uUwKoE9VZY1mp5yGLKLWXREy822vSXHIAcXWAGeP4M4m+2Jr4VLgbYlJgCDF
7wHHUTYMrKCi7+YdtUHwBDjIvxvScgHBUnNCdrjP1TI1MuRHA6z8smYFUq9ZBjXE
yHUY8g8WAAhg61a7IHNMpobLEn7qxdp5Bi1fcT9to+i9hqbNdxggwgwHUSnyMSig
TVaU1cnvppCplUsl2daFOardElVyAI7OWHxTvGDEaaD+a8ETVut0VNTcFb6v0iEa
ZSAdOSIWAS5fSgtkvFxPabnhcP6uNUC1Wv2HBhs0s6ZF+zQ0et3lO8mF1mtaIgs=
=zPWm
-----END PGP SIGNATURE-----

--------------enig1FB4D96F8DC0F2AF6C87B26D--