Security concerns on the Windows DBUS port
Havoc Pennington
hp at redhat.com
Sat Apr 7 17:47:49 PDT 2007
Hi,
Fan Wu wrote:
> I think the problem with windows named pipe is you can't do poll on
> it. If so the problem can probably be solved by adding a wrapper
> around WaitforMultipleObjects().
I do agree that it would be ideal to avoid tcp, e.g. see my follow-up to
the mail Ralf linked to in the archives.
> The auto-launch support is not enough to secure/authenticate the TCP
> connection. The fundamental issue is you can't trust the information
> "as told" by the peer. You can only trust the info as told by the OS,
> like the credentials passed in Unix Domain socket.
It is not, however, necessary to have peer credentials; dbus has an
extensible system for auth mechanisms. So any authentication mechanism
you care to come up with could be used. For example, on UNIX we can use
TCP also, but we use SHA1_COOKIE to authenticate instead of asking the
OS for the socket credentials.
Simply trusting the identity the remote peer claims to have, of course,
is a terrible authentication mechanism. Hopefully the windows port is
not doing that - are you sure it isn't using the SHA1_COOKIE mechanism?
Havoc
More information about the dbus
mailing list