An issue with group based <policy> in dbus daemon
msa at moth.iki.fi
Mon Aug 4 01:06:37 PDT 2008
In dbus configuration you can say
I thought this was actually checking against the *current* client
process suplementary groups. However, it basicly only checks against
static /etc/groups information based on the client process UID.
I needed the check against the current set, because the idea was to
dynamically add or remove some groups to/from the process context.
After looking at the problem in more detail, I kind of understand why
the feature I want, is not there:
- it appears that there is currently no way in Linux to ask whether
another process has a specific group in it's task context. (Even
more so, it appears that you cannot even write a kernel module to
do this, because the required functions are not exported from
However, I did experimentally add a function into Linux kernel sys.c
to do the required test (is a gid in context of process identified by
pid), and wrote a module that would give access to this function from
the user space.
I also experimentally patched the dbus daemon code to understand a new
policy attribute, which checks against the dynamic supplementary
groups. Thus, for example
would actually check whether the current suplementary groups of the
client process contains the group "something".
The questions I have
- has anyone else needed similar functionality?
- should I just redefine the <policy group=..> semantics, or do we
need the new keyword, like "dgroup" or something?
The solution is a bit hairy, because it does require a changed kernel
(at least I haven't found any other way to test the group of another
Any thoughts or opinions?
More information about the dbus