[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shutdown from gnome logout dialog

On Tue, Sep 16, 2003 at 01:19:00PM +0200, Thomas Morin wrote:
> Quote Sven Luther <sven.luther@wanadoo.fr>:
>  | On Mon, Sep 15, 2003 at 09:46:26PM +0200, Carlos Perelló Marín wrote:
>  | > It's not a bad idea but it has some security issues. What happens if an
>  | > application executes "touch $HOME/.gdm-reboot"? the user does not want
>  | > reboot the machine but a virus/trojan could do it without problems
>  | 
>  | What about gdm passing to gnome-session a magic number or something, and
>  | gdm would only reboot/halt if this same magic number would be found in
>  | the .gdm-reboot/halt file ?
>  |
>  | As the magic number will only be known to gdm and gnome-session, it
>  | should be secure, unless your random number generator is compromised,
>  | but in these case, i suspect you are in deeper trouble anyway.
> But how could this magic number be known _only_ to gnome-session ?

Well, i was thinking that gdm would pass it to gnome-session (or
whatever) as an argument to the login script or something such, sure it
is not really secure, as i guess it is easy to access it, but it is not
too easy, and rules out any kind of mistakes or multi-session problems
that may arise. If you really want to do real security, you could
imagine an encrypted password chalenge or some other such schemes, but i
believe it is not worth it in this case.


Sven Luther

Reply to: