Tracking users/sessions on the console
david at fubar.dk
Mon Jan 30 11:27:22 PST 2006
On Sun, 2006-01-29 at 16:05 -0500, Havoc Pennington wrote:
> If we want to base security policy on it, doesn't the system bus have to
> "verify" the session claimed by each thing that connects to it?
> I can imagine something based on PID (e.g. ask the session bus if the
> PID of the system bus connection is also attached to the session bus),
> though this requires trusting the session bus so probably isn't
> viable... maybe something like the system bus gives each session bus a
> secret cookie, and to show membership in the session an app has to get
> the cookie from the session bus and hand it back to the system bus...
> but again this assumes we trust the session bus not to "leak" the
> What am I missing?
So I do happen to think of the session bus address as this cookie, and,
yes, it's very easy for the session to leak it. In that event you've
probably already lost though... if you can connect to the session bus
there's lots of evil things you can do... In reality I don't see the
session bus address being leaked unless you got malicious code running
in your session.. and then you lost too..
Wrt. basing security policy on this I think it looks like this
1. login auth using gdm
3. launch session message bus, set DBUS_SESSION_BUS_ADDRESS
(registers with system message bus)
4. After step 3., when the session bus is launched (and registered
with the system message bus), some bit in gdm somehow retrieves
the DBUS_SESSION_BUS_ADDRESS and pokes a privileged interface on
the system message bus to tell that the session with
DBUS_SESSION_BUS_ADDRESS is indeed running on a console or not,
and if it is, what's the physical console number.
5. launch rest of session
6. gnome-power-manager connects to system message bus, pass
DBUS_SESSION_BUS_ADDRESS. We now know what session method
calls from g-p-m stems from and in e.g. HAL we can deny
method calls on device objects not belonging to a specific
So I think this is secure. But, yes, it does heavily relies on
DBUS_SESSION_BUS_ADDRESS not being leaked out of the session. But I
think that is a fair assumption and even it is leaked we'd still do the
at_console checks we can do today.
What do you think?
More information about the dbus