Application authorisations

David Zeuthen zeuthen at gmail.com
Fri Apr 30 08:40:59 PDT 2010 

Hey,

On Fri, Apr 30, 2010 at 9:55 AM, Colin Walters <walters at verbum.org> wrote:
> On Fri, Apr 30, 2010 at 8:09 AM, Bastien Nocera <hadess at hadess.net> wrote:
>>
>> Being able to install whitelists is fine, so we would probably whitelist
>> things like the preferences dialogue for geoclue, and firefox which
>> already asks whether to allow websites to query the location.
>>
>> It seems right to me to avoid this for known applications, but random
>> apps should still be asked for.
>
> As long as you keep in mind that without work probably measured in
> engineer-years, it's at best aspirational.  For example, absolutely
> nothing stops the app from just using XTest or accessibility to click
> "OK" on the dialog when it pops up.

That's true. In the same way nothing stops the app from using xspy.c
or ptrace(2) to capture passwords from mostly anything in your session
(including the screen saver). FWIW, the long term plan here is to have
a "system compositor" [0] and these sensitive things in a secure, safe
and sandboxed session that can't be spied upon. And the "secure
deployments" would even require the SAK (e.g. ctrl+alt+del) to get to
the secure sandbox.

Unfortunately no-one is really working on this. Which is pretty
amazing giving how dire the situation actually is. It's probably not a
multi-year effort to fix this but there's definitely a lot of hairy
pieces here and there. But I digress.

(Oh btw, the polkit security model actually allows for the
authentication agent to run elsewhere - there's nothing in the polkit
architecture to prevent you from having the authentication agent run
on your cell phone or on a dedicated peripheral connected to your
workstation. No-one just done this yet because it's really kind of
dorky and not exactly the main use case.)

     David

[0] : or just use the VT subsystem. But it would be nicer with a
trusted process that juggles the output of several X servers - think
spinning cubes etc. See Kristian Høgsberg's Wayland work for more
discussion.

[1] : that is: lock screen authentication (e.g. screen saver), polkit
authentication agents, gvfs password dialogs and so on

More information about the dbus mailing list