[systemd-devel] Secret machine-id for RFC 7217 stable addresses
Simon McVittie
simon.mcvittie at collabora.co.uk
Fri Oct 9 03:35:18 PDT 2015
On 08/10/15 21:47, Tom Gundersen wrote:
> On Mon, Sep 7, 2015 at 7:49 PM, Lubomir Rintel <lkundrak at v3.sk> wrote:
>> This sounds a bit like machine-id, unfortunately given it's world
>> readable and available via DBus (and possibly on a network?) it
>> doesn'tseem to be secret enough.
For context, the D-Bus machine ID (on which the systemd machine ID was
based) was intended to be used somewhat like the hostname, except with
the expectation that it is actually unique (unlike hostnames, which are
user-meaningful and therefore somewhat likely to collide). For instance,
GNOME's displays control panel stores a separate monitor layout per
machine ID, so that each machine has its appropriate monitor layout even
if they NFS-share a home directory.
Like a hostname, the machine ID is not really meant to be secret; for
instance, I think it would be OK to use the machine ID as a fallback
hostname, which could result in it being sent over the network in DHCP
or mDNS packets.
> A priori, it would perhaps have been nice to consider the real
> machine-id on disk to be "secret", and only ever expose a hash of it
How secret is "secret" here? Readable by root only? Readable by root and
system users? Readable by all local users? If a system component like
systemd (or D-Bus for that matter) is going to provide this as a "system
API", then it needs to be well-defined.
>From the D-Bus point of view, in new installations it seems fine to use
the hash of a random secret as a basis for the world-readable machine
ID. However, in existing installations that are upgraded, the old
machine ID should always be preserved.
S
--
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>
More information about the systemd-devel
mailing list