An issue with group based <policy> in dbus daemon
Markku Savela
msa at moth.iki.fi
Mon Aug 4 01:06:37 PDT 2008
In dbus configuration you can say
<policy group="something">
....
</policy>
I thought this was actually checking against the *current* client
process suplementary groups. However, it basicly only checks against
static /etc/groups information based on the client process UID.
I needed the check against the current set, because the idea was to
dynamically add or remove some groups to/from the process context.
After looking at the problem in more detail, I kind of understand why
the feature I want, is not there:
- it appears that there is currently no way in Linux to ask whether
another process has a specific group in it's task context. (Even
more so, it appears that you cannot even write a kernel module to
do this, because the required functions are not exported from
kernel sys.c).
However, I did experimentally add a function into Linux kernel sys.c
to do the required test (is a gid in context of process identified by
pid), and wrote a module that would give access to this function from
the user space.
I also experimentally patched the dbus daemon code to understand a new
policy attribute, which checks against the dynamic supplementary
groups. Thus, for example
<policy dgroup="something">
...
</policy>
would actually check whether the current suplementary groups of the
client process contains the group "something".
The questions I have
- has anyone else needed similar functionality?
- should I just redefine the <policy group=..> semantics, or do we
need the new keyword, like "dgroup" or something?
The solution is a bit hairy, because it does require a changed kernel
(at least I haven't found any other way to test the group of another
process efficiently).
Any thoughts or opinions?
More information about the dbus
mailing list