Security concerns on the Windows DBUS port

Fan Wu wufan9418 at gmail.com
Mon Apr 9 08:11:32 PDT 2007


I will give it a shot and see how far it goes.

Fan

On 4/8/07, Havoc Pennington <hp at redhat.com> wrote:
> Fan Wu wrote:
> > all truthful authentication relies on the help of the OS, be it
> > credentials passed in unix domain socket, or SHA1_COOKIE. For
> > SHA1_COOKIE, it relies on the fact that the OS protects the access of
> > an user's home directory by other non-root users. But the problem with
> > SHA1_COOKIE is that a process' user account might not have a home
> > directory, or the home directory is not private, like the nobody in
> > Unix and LocalSystem in windows. In these cases you might not be able
> > to use SHA1_COOKIE at all.
> >
>
> Surely there is *some* way to do authentication on Windows. I'm guessing
> there are dozens. My point is, whatever that way is, the dbus port can
> use it; just add a new authentication mechanism. For example you could
> do basically the same thing as the cookie auth, but using somewhere
> other than the homedir to store the cookie, wherever Windows is
> guaranteed to keep it private.
>
> If it isn't clear, the Windows port is not supposed to be finished yet.
> If you can help get it finished everyone would be excited to welcome you
> to the team ;-)
>
> Havoc
>
>


More information about the dbus mailing list