Re: GMountOperation concerns

[David Zeuthen <david fubar dk>]

On Wed, 2007-12-12 at 12:05 -0500, David Zeuthen wrote:
> So I'm thinking a similar pattern would be useful for g_volume_mount();
> it would move all credentials handling out of process. The downside is
> that the application itself cannot draw it's own dialogs for asking for
> credentials. But I think that's fine; we don't let gnome-keyring using
> apps do this either.

Just to clarify; this is how the interaction would be

 +---------------------+          gvfs IO Channel
 | App using libgio.so |--------------------+
 +---------------------+                    |
        |                          +-----------------------------+
        | IPC (e.g. D-Bus)         | out-of-process gvfs plug-in |
        |                          +-----------------------------+
  +-------------------------+                |
  | ask-credentials-program |----------------+
  +-------------------------+       Secure Channel for
                                    passing credentials
                            (not D-Bus in session bus mode as the
                                    bus is snoopable)

Of course to make this secure both ask-credentials-program and the
out-of-process gvfs plugin (e.g. smb://) will need to be locked down.
One easy way to do this is plain-vanilla UNIX-like systems is to make
them setgid nobody (so libc secure mode kicks in). 

Also, the ask-credentials-program could be a proxy for a GTK+ program,
e.g. gtk-ask-credentials-program, that runs on another secure desktop
session (e.g. the gdm login screen) and to get there you would need to
use SAK (secure attention key; e.g. ctrl+alt+backspace or whatever); or
when the windowing system and toolkit have secure modes that could be
used.

For the record I'm not proposing that we do this work now; I'm only
proposing to make the API secure and capable of doing things like this
in the future.

     David