Application authorisations

Bastien Nocera hadess at hadess.net
Thu Apr 29 06:13:42 PDT 2010 

On Thu, 2010-04-29 at 07:36 -0400, David Zeuthen wrote:
> On Thu, Apr 29, 2010 at 6:38 AM, Bastien Nocera <hadess at hadess.net> wrote:
> > Heya,
> >
> > I wanted to work on an authorisation framework for GeoClue. The goal is
> > for Geoclue to only be available to applications that the user actively
> > authorises.
> >
> > As Geoclue works with multiple D-Bus services, I would first disallow
> > all the backends to talk to anyone but the Geoclue master D-Bus service
> > (through checking for binary name, and D-Bus name).
> >
> > Then, in Geoclue master, keep a list of known binary/D-Bus names to
> > authorise, and refuse access if they're not on the list.
> >
> > The problem I have is where would I put the authorisation dialogue?
> > Could I put it in a separate daemon whose only task would be to write
> > the authorised binary name/daemon (maybe PID, for one-shot ones)
> > somewhere?
> >
> > The goal is to avoid random applications accessing the service without
> > explicit approval of the user, bar for "special" applications that I'd
> > like to whitelist (such as a geoclue preferences tab, which would
> > control the overall authorisation).
> >
> > Ideas?
> 
> It seems to me this is exactly what polkit is doing - have you thought
> about using it for this? You'd handle the "special" applications by
> simply not asking polkit about those. Control of the whitelist could
> be done using standard polkit mechanism that might pop up
> authentication dialogs. See http://hal.freedesktop.org/docs/polkit/
> for more information.

Polkit is *nearly* what I want, and I thought about using it, but I
don't want authentication, I just want authorisation.

Compare and contrast:
"Please enter the administrator password to allow this app to access
your location"
vs.
"This app wants to access your location. [allow] [deny]"

Can PolicyKit do the latter? Can it be extended to do the latter?

The authorisation also resembles the model used by the gnome-keyring,
maybe that's a better fit for storing the application authorisations.

> Btw, I hope you realize that on Linux, the binary name don't work
> great for interpreted languages and isn't really secure at all. See
> 
>  http://cgit.freedesktop.org/PolicyKit/tree/src/polkit/polkit-sysdeps.c?id=POLICY_KIT_0_9#n190

Right. It's probably even worse in this case given that geoclue and the
backends would run in the user session.

> I like the "whitelist of known applications" authorization style.. but
> I don't think it's straightforward to do in a secure way. Then again,
> maybe you don't need it to be secure. Then again, you are dealing with
> sensitive information and private information like location here. I
> don't know.

You would already "leak" a lot of things wrt. your location when using
the internet. An application could run in the background, and get all
the information necessary to get your location from Internet sources
without your knowledge. What we're trying to avoid is making it too easy
for applications.

Should geoclue run as a non-privileged user outside the session instead?
That would make it easier to lock down, and avoid data leaking out.

More ideas? :)

More information about the dbus mailing list