Application authorisations

Bastien Nocera hadess at hadess.net
Thu Apr 29 16:44:39 PDT 2010 

On Thu, 2010-04-29 at 11:01 -0400, David Zeuthen wrote:
> Hey,
> 
> On Thu, Apr 29, 2010 at 9:13 AM, Bastien Nocera <hadess at hadess.net> wrote:
> > Polkit is *nearly* what I want, and I thought about using it, but I
> > don't want authentication, I just want authorisation.
> >
> > Compare and contrast:
> > "Please enter the administrator password to allow this app to access
> > your location"
> > vs.
> > "This app wants to access your location. [allow] [deny]"
> >
> > Can PolicyKit do the latter? Can it be extended to do the latter?
> 
> Sure, polkit could definitely introduce auth_ack{,_keep} in addition
> to the existing auth_self and auth_admin. It would just show [allow]
> and [deny] buttons instead of challenging the user. Btw, there is
> already a fine mechanism (the PolkitBackendActionLookup extension
> point) in place for you to customize the message so it the dialog
> would be
> 
>  The application XYZ wants to access your location.
> 
> where XYZ could be Firefox or Epiphany or Empathy or whatever.

That would be nice. Should I file a bug?
<snip>
> > You would already "leak" a lot of things wrt. your location when using
> > the internet. An application could run in the background, and get all
> > the information necessary to get your location from Internet sources
> > without your knowledge. What we're trying to avoid is making it too easy
> > for applications.
> >
> > Should geoclue run as a non-privileged user outside the session instead?
> > That would make it easier to lock down, and avoid data leaking out.
> 
> Yes - I think it makes sense to actually ensure no-one can get at the
> data before putting roadblocks in place to the usual way to get to the
> data. But even after doing that it is still sketcy to authorize based
> on application identify because we no concept application identity on
> the normal Linux Desktop - not anything that's good enough to be used
> in the way you want to, anyway.
> 
> FWIW, I don't think it's really worth the effort to do all this for
> the normal Linux Desktop. Everything in your desktop session pretty
> much runs in the same security context and conventional wisdom says
> something to the effect that you are screwed if you have hostile code
> in your session _anyway_. I mean, if I was a hostile program running
> in your session I wouldn't worry too much about your location - I'd be
> much more interested in the contents of ~/.mozilla instead :-)

I'm guessing that being *told* about an app trying to use your location
would be good enough.

My plan is to:
- tell gypsy that only the geoclue of the current user can access it
- tell geoclue providers that they can't be contacted directly
- add polkit authorisation to geoclue-master

What do you think?

More information about the dbus mailing list