sending authentication data over the bus
Thiago Macieira
thiago at kde.org
Sun Aug 1 14:09:06 PDT 2010
On Sunday 1. August 2010 14.56.11 Bastien Nocera wrote:
> On Thu, 2010-07-29 at 15:44 -0300, Thiago Macieira wrote:
> > On Thursday 29. July 2010 12.36.13 Rodrigo Moya wrote:
> > > Hi
> > >
> > > I am working on an authentication service which, right now, is fired by
> > > apps requiring the authentication. This service retrieves the tokens
> > > for the user (OAuth tokens) and stores them in the GNOME keyring, and
> > > then signals the application making the call so that it can retrieve
> > > the tokens from the keyring.
> > >
> > > We were wondering if sending the tokens over the bus, to avoid having
> > > apps having to read the keyring, would be secure. So, is it? Can
> > > external apps (running as a different user on the same system) listen
> > > to the plain text communication over the bus?
> >
> > Different users cannot connect to the session bus.
>
> But rogue applications within the session, and the root user switching
> users can both listen in on D-Bus session bus.
Indeed, but both kinds of applications can also ptrace (debug, strace) the
target applications as well as dbus-daemon itself, which would give access to
the data transmitted over the session bus as well.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Senior Product Manager - Nokia, Qt Development Frameworks
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freedesktop.org/archives/dbus/attachments/20100801/fdc88f9c/attachment.pgp>
More information about the dbus
mailing list