Tracking users/sessions on the console

Jamie McCracken jamiemcc at blueyonder.co.uk
Tue Jan 31 16:02:48 PST 2006


Havoc Pennington wrote:
> On Tue, 2006-01-31 at 11:32 +0000, Jamie McCracken wrote:
>> it would be best to use public key encryption here (the public key could 
>> be used to get the session bus address). The private key would need to 
>> be obfuscated so its not readily visible in a core dump of the session 
>> bus nor accessible api wise - not perfect security I admit but its 
>> better than nothing
>>
> 
> What does that solve? If the private key is in the user's session,
> people can still do everything they could do before.

Thats right but it gives us a means to detect if the app is in the 
user's session. The trick is to not expose the private key outside the 
session bus and therefore such calls to the system bus would need to go 
via the session bus, which appends the private key behind the scenes (IE 
its never visible in the public API). That way at least you can stop 
someone posting the private key on their blog!

It ain't watertight admittedly but it does make it much more difficult 
to fool the system.

An incrementing key encryption scheme (IE where the key value is 
incremented after every call before being hashed and sent over the wire) 
can be used to prevent snooping to increase security further.

-- 
Mr Jamie McCracken
http://www.advogato.org/person/jamiemcc/


More information about the dbus mailing list