Unix FD Passing

Lennart Poettering mzqohf at 0pointer.de
Wed May 20 15:02:52 PDT 2009 

On Wed, 20.05.09 16:51, Havoc Pennington (hp at pobox.com) wrote:

> 
> Hi,
> 
> On Wed, May 20, 2009 at 4:30 PM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
> > After all it is as much a programming error to expose an API that
> > needs unix fd passing on a connection that doesn't support it as it is
> > trying to make use of such an API via a connection doesn't support it.
> >
> > i.e. on a connection that cannot support it expecting an unix fd is
> > as broken as sending an unix fd.
> 
> Right, but we don't have a way to feature negotiate over the bus; apps
> A and B talking by bus are unable to negotiate.

That is true. But this is not a problem.

All that is needed is that both A and B verify that the connection
they set up supports unix fd passing. I.e. the service provider should
just bail our with an error early during startup if it is started on a
bus that doesn't do unix fd passing. And similarly, the other side
shouldn't try at all all to send requests with unix fds if they know
their connection cannot do it.

We don't need nego across the bus. If both A and B verify nego with
bus that should be good enough.

We'd need nego across the bus only if more than one bus is in the
pipeline. But that wuld be pretty lame.

> > A possible solution could be to use _dbus_return_if_fail() in
> > dbus_connection_send() and friends and then simply fix the dbus daemon
> > to not forward messages that include unix fds on connections that
> > don't do it. That would be simple and make a lot of sense to me.
> 
> I was suggesting pretty much this except have the bus generate an
> error rather than /dev/null, when eavesdrop=false ... this should be
> fairly simple in the bus daemon, it's similar to what the bus daemon
> does if a security policy forbids sending a particular message to a
> particular app for example.

I don't think this should return an error.

After all, if you broadcast a signal you don't want to get zillions of
responses from everyone who didn't understand it. Dropping messages
silently should be good enough.

> In fact in the same spot that calls the "check security policy"
> functions, we could add "check feature compatibility" and do this
> exactly the same way.

I don't think this would be beneficial.

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4

More information about the dbus mailing list