Security concerns on the Windows DBUS port

Havoc Pennington hp at redhat.com
Sun Apr 8 22:48:38 PDT 2007


Fan Wu wrote:
> all truthful authentication relies on the help of the OS, be it
> credentials passed in unix domain socket, or SHA1_COOKIE. For
> SHA1_COOKIE, it relies on the fact that the OS protects the access of
> an user's home directory by other non-root users. But the problem with
> SHA1_COOKIE is that a process' user account might not have a home
> directory, or the home directory is not private, like the nobody in
> Unix and LocalSystem in windows. In these cases you might not be able
> to use SHA1_COOKIE at all.
> 

Surely there is *some* way to do authentication on Windows. I'm guessing 
there are dozens. My point is, whatever that way is, the dbus port can 
use it; just add a new authentication mechanism. For example you could 
do basically the same thing as the cookie auth, but using somewhere 
other than the homedir to store the cookie, wherever Windows is 
guaranteed to keep it private.

If it isn't clear, the Windows port is not supposed to be finished yet. 
If you can help get it finished everyone would be excited to welcome you 
to the team ;-)

Havoc



More information about the dbus mailing list