[sugar] Initial Security Patches

Noah Kantrowitz kantrn at rpi.edu
Wed Aug 1 01:25:47 EDT 2007


Michael Stone wrote:
> Simon,
>
> On Tue, 2007-07-31 at 14:20 +0100, Simon McVittie wrote:
>   
>> On Mon, 30 Jul 2007 at 16:21:36 -0400, Michael Stone wrote:
>>     
>>>      @dbus.service.signal(_DBUS_OWNER_IFACE, signature="s")
>>>      def CurrentActivityChanged(self, activity_id):
>>> -        pass
>>> +        if os.path.exists('/etc/olpc-security'):
>>> +            self.rainbow.activity_changed(activity_id)
>>>       
>> Minor: It's conventional for D-Bus methods to be named in CamelCase.
>>     
>
> I don't care much whether we follow this convention or the PEP-8
> convention:
>
>     "Function names should be lowercase, with words separated by
>     underscores as necessary to improve readability."
>   
I changed the two new methods in rainbow, but left "create_activity" to
avoid breaking sugar.
>   
>> More major: This looks like an example of the same method/signal
>> naming inversion we have in Telepathy's streamed media interfaces (which we
>> consider to be a bug). Methods should be verbs, like ChangeActivity;
>> signals should be events, like ActivityChanged. Can't Rainbow just
>> listen for _DBUS_OWNER_IFACE::CurrentActivityChanged? If you're implementing
>> Rainbow in Python, that's spelt:
>>
>>     bus = dbus.SessionBus()
>>     bus.add_signal_receiver(some_callback, 'CurrentActivityChanged',
>>                             _DBUS_OWNER_IFACE)
>>     
>
> Rainbow runs as root; hence, it is statically prevented from connecting to the
> DBus session bus by the DBus access control checks. Options include:
>
>   1) Do what we presently do.
>   2) Modify DBus to make an exception to this access check.
>   3) Have Sugar also send the signal on the system bus.
>
> We leaned towards number (1) because it is minimally invasive and because it
> suggests a good future path for gating activity-foregrounding request should
> this prove necessary.
>
> No. (2), though technically possible and in some ways, convenient, is not going
> to fly with the DBus upstream maintainers because it's not a good general
> solution. 
>
> If (3) is dramatically more palatable than (1), I don't mind switching now.
>
>
>   
2 is actually fairly easy, its just a few lines in our session.conf (the
session bus daemon config file). The reason I avoided it is more that it
breaks the design behind the system/session split more than 1.
>> If you only want to respond to CurrentActivityChanged from the process
>> or object that ought to be emitting it, you can also specify a bus name
>> or object path, or you can use connect_to_signal() on a proxy for that
>> object.
>>     
>
> This is good to know; however, insofar as we care, we actually care about
> preventing unauthorized processes from sending the signal. In fact, "Sugar"
> understood broadly is the only group of processes that will be allowed to send
> messages to Rainbow.
>
>   
So far yes, P_IDENT may prove more interesting though depending on how
we coordinate the activity with presence service and rainbow.
>> If you must use a method call for some technical reason, it'd be less
>> astonishing if it was called something like ChangeCurrentActivity.
>>     
>
> Not a problem.
>
>   
Already done in the latest patch.
>> Proxy objects trigger an Introspect() call every time they're created,
>> so you may want to cache this proxy object for use in future launches.
>>     
>
> Okay.
>   
Ditto.
>
> Thanks again,
>
>
> Michael
>
>
> _______________________________________________
> Sugar mailing list
> Sugar at lists.laptop.org
> http://lists.laptop.org/listinfo/sugar
>
>   



More information about the Sugar mailing list