<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2013/2/27 Simon McVittie <span dir="ltr"><<a href="mailto:simon.mcvittie@collabora.co.uk" target="_blank">simon.mcvittie@collabora.co.uk</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 26/02/13 22:15, Krzysztof Konopko wrote:<br>
> Rummaging in /proc for credentials is an interesting approach: if done<br>
> incorrectly it can be a time of check/time of use vulnerability, but I<br>
> think you've avoided that.<br>
><br>
><br>
> I've been considering tidying it up and making generic enough to<br>
> potentially replace some getpw*() calls altogether as the latter ones<br>
> are just an "implementation detail". In many cases all that D-Bus<br>
> daemon cares about is the same what the kernel cares about: numbers<br>
> (UIDs/GIDs).<br>
<br>
</div>getpw*() and getgrouplist() are the only portable interface for this:<br>
/proc is Linux-specific.<br></blockquote><div><br></div><div style>Oh yes, this would be Linux-specific.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If you wanted to extend the D-Bus policy language to support<br>
<br>
<policy user="#0">...</policy><br>
<policy group="#42">...</policy><br>
<br>
which didn't bother with a getpwnam() or getpwuid() and just did simple<br>
integer matching, that would be fine. (If you do: bug report, please.)<br></blockquote><div><br></div><div style>I thought it's already supported but personally I don't think it's a good idea to use it. To me policies should be based on "static" (well defined) users and groups that exist on the system when dbus-daemon starts and that can be referred by human-readable names. Otherwise IMO it leads to sloppy policies.</div>
<div style><br></div><div style>OTH I think it's fine (to some degree) if a process joins a group "dynamically" or runs with a "dynamically" assigned UID so that policies can be leveraged to the full extent. The idea here is inspired by the aforementioned Android where a newly installed application gets a unique UID assigned and becomes a member of groups required for its normal operation. So one gets nice privilege separation but it becomes tricky if anything like /etc/{passwd,group} has to be modified to achieve this. My approach was to separate these concerns in D-Bus by detaching from standard libc getpw*() approach wherever possible.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Similarly, I wouldn't object to a patchset which tried to obtain peer<br>
processes' groups via /proc on Linux, falling back to mapping the uid to<br>
a username then calling getgrouplist() for that username on other Unix<br>
platforms - but this would need to be checked for regressions on at<br>
least one non-/proc Unix platform, and I suspect the code structure may<br>
make this harder than it looks at first glance. That would resolve<br>
<<a href="https://bugs.freedesktop.org/show_bug.cgi?id=9328" target="_blank">https://bugs.freedesktop.org/show_bug.cgi?id=9328</a>> if implemented.<br></blockquote><div><br></div><div style>I'm keen to make such an attempt. With small patches and well understood steps I think it's plausible. It won't be a rapid activity though due to limited amount of my spare time. Looking forward though to get on with it.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
S<br></div></div></blockquote><div><br></div><div><br></div><div style>Cheers,</div><div style>Kris</div><div style> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">
_______________________________________________<br>
dbus mailing list<br>
<a href="mailto:dbus@lists.freedesktop.org">dbus@lists.freedesktop.org</a><br>
<a href="http://lists.freedesktop.org/mailman/listinfo/dbus" target="_blank">http://lists.freedesktop.org/mailman/listinfo/dbus</a><br>
</div></div></blockquote></div><br></div></div>