New policy type to check client credentials?

[Colin Walters]

On Thu, Jan 29, 2009 at 8:34 AM, Markku Savela <msa at moth.iki.fi> wrote:
>
> On August 4th 2008, I posted a message with topic "An issue with group
> based <policy> in dbus daemon". The core of my complaint was the ghet
> "<policy group=xx >" tests static information based on /etc/group
> file. I wanted it to test the actual current gid/supplementary groups
> of the client process. The conclusion was that I should not change the
> semantics of the group policy.

Have you looked at PolicyKit?

http://hal.freedesktop.org/docs/PolicyKit/

Basically I think the message bus policies are good for "broad
strokes" (e.g. "this service should only be root accessible", "anyone
can access this service").  I don't think it's a very good language
for detailed policy.

Using PolicyKit or something like it, i.e. message checks on the
service side, you can implement whatever you want.  For example if you
want to poke at a Linux-kernel specific credential (assuming your
process has the privilege to do so) it should be quite straightforward
to do.  You can retrieve the pid of the process using the bus
GetUnixProcessID API, and from there poke into /proc or make whatever
system call.

Checks in the message bus do have some advantages, but one major
problem with adding additional tests is that many of them require
special OS privileges, and we expect OS vendors to run the bus as a
"regular user".  There are ways on various operating systems to retain
privileges (capabilities on Linux).

Finally other major advantages of PolicyKit is that it is more
explicitly designed for system administrators to customize, and better
interact with graphical interfaces.

So a good path forward may be to patch PolicyKit to be able to make
use of the extended-group or other capability checks you'd like.