DBus - Sessionbus rights
John (J5) Palmieri
johnp at redhat.com
Mon Apr 7 09:43:51 EDT 2008
On Sun, 2008-04-06 at 15:32 -0400, Michael Stone wrote:
> On Sun, Apr 06, 2008 at 01:11:55AM -0400, Polychronis Ypodimatopoulos wrote:
> > The SystemBus is used for communication between processes that belong to
> > different users. By default, /etc/dbus-1/system.conf says "...Deny
> > everything then punch holes...". Why do we forbid the default user
> > (olpc) by default from advertising processes under a "well known name"?
>
> Simple inertia combined with the fact that the authors of most processes
> running as uid 500 have considered their software to be "session"
> software rather than "system" software. If you feel differently, please
> consider suggesting a policy that you think is a better fit for our
> dvision of responsibility. (Though take into account the fact that we
> are presently trying to get Sugar and its dependencies running on
> non-OLPC systems.)
>
> > What's wrong with user processes making their presence known on SystemBus?
>
> My suspicion is that it's an anti-spoofing measure, but that's merely a
> guess. Have you considered asking on one of the dbus mailing lists?
Luckily all mail with DBus in the header gets filtered into a single
folder ;) Yes spoofing is the answer here (it is sort of like asking
why can't users create applications that run from /usr/bin though not
quite exact). If we allowed users to grab names on the system bus that
aren't marked as allowed to be used by users they could spoof HAL, the
datastore or even the bus itself. Since applications running as root
also access these services it could be used as an exploit to gain root
privileges. In any case the session bus is what you want to use to
create services other apps (in the session) can use.
I don't know if OLPC's security model allows you to write to the local
autostart directory but if it did you could even use that facility. I
would suggest OLPC however restrict names to the application's own
namespace and reserve certain namespaces (like org.laptop) for signed
bundles.
--
John (J5) Palmieri <johnp at redhat.com>
More information about the Devel
mailing list