Application authorisations

Daniel J Walsh dwalsh at redhat.com
Thu Apr 29 04:55:30 PDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2010 07:36 AM, David Zeuthen wrote:
> On Thu, Apr 29, 2010 at 6:38 AM, Bastien Nocera <hadess at hadess.net> wrote:
>> Heya,
>>
>> I wanted to work on an authorisation framework for GeoClue. The goal is
>> for Geoclue to only be available to applications that the user actively
>> authorises.
>>
>> As Geoclue works with multiple D-Bus services, I would first disallow
>> all the backends to talk to anyone but the Geoclue master D-Bus service
>> (through checking for binary name, and D-Bus name).
>>
>> Then, in Geoclue master, keep a list of known binary/D-Bus names to
>> authorise, and refuse access if they're not on the list.
>>
>> The problem I have is where would I put the authorisation dialogue?
>> Could I put it in a separate daemon whose only task would be to write
>> the authorised binary name/daemon (maybe PID, for one-shot ones)
>> somewhere?
>>
>> The goal is to avoid random applications accessing the service without
>> explicit approval of the user, bar for "special" applications that I'd
>> like to whitelist (such as a geoclue preferences tab, which would
>> control the overall authorisation).
>>
>> Ideas?
> 
> It seems to me this is exactly what polkit is doing - have you thought
> about using it for this? You'd handle the "special" applications by
> simply not asking polkit about those. Control of the whitelist could
> be done using standard polkit mechanism that might pop up
> authentication dialogs. See http://hal.freedesktop.org/docs/polkit/
> for more information.
> 
> Btw, I hope you realize that on Linux, the binary name don't work
> great for interpreted languages and isn't really secure at all. See
> 
>  http://cgit.freedesktop.org/PolicyKit/tree/src/polkit/polkit-sysdeps.c?id=POLICY_KIT_0_9#n190
> 
> I like the "whitelist of known applications" authorization style.. but
> I don't think it's straightforward to do in a secure way. Then again,
> maybe you don't need it to be secure. Then again, you are dealing with
> sensitive information and private information like location here. I
> don't know.
> 
>      David
> _______________________________________________
> dbus mailing list
> dbus at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dbus
If you really want to secure it, you can use SELinux/Polkit/dbus to put
a label on the executable on the client side and only allow clients with
this label to communicate with the server through dbus.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZc7IACgkQrlYvE4MpobMzuACfXkXjFgJMSzozU+YJO4DlWjHS
E3YAn1O99Vsa7cTUkY6OsE7G+orhG6VS
=0WLz
-----END PGP SIGNATURE-----

More information about the dbus mailing list