Re: GNOME privilege library

From: Alan Cox <alan lxorguk ukuu org uk>
To: Sean Middleditch <elanthis awesomeplay com>
Cc: desktop-devel-list gnome org
Subject: Re: GNOME privilege library
Date: Thu, 13 Jan 2005 19:07:46 +0000

dbus doesn't support the passing of capabilities. In a good SELinux
system then many of my setuid helpers are not permitted to do anything
dangerous like talk to the user. In many other cases they are not
permitted to open user files. [1]

Take printing for example - the print service should not be able to read
user files, and users should not be able to write stuff as the print
service. Instead the user can hand over a file handle. A small setuid
(non-X) helper run from an X application can do this kind of things
while dbus apparently lacks the ability to pass files or verifable
credentials.

AF_UNIX sockets can do it to an extent (it can't pass selinux roles) so
maybe dbus can be persuaded to do such things ?

Alan

[1] Seriously - there are tools that take this approach and only are
permitted to communicate by exit code to the unpriviledged helper and by
writing to the tape unit. The helper will turn an exit code into a
status report but it means that if someone breaks the backup system they
still don't get to steal any data

References:
- GNOME privilege library
  - From: Sean Middleditch
- Re: GNOME privilege library
  - From: Mike Hearn
- Re: GNOME privilege library
  - From: Sean Middleditch

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]