[RFC] Making D-Bus suitable for being run early during boot
Lennart Poettering
mzqohf at 0pointer.de
Fri Jul 9 13:53:46 PDT 2010
On Fri, 09.07.10 14:42, David Zeuthen (zeuthen at gmail.com) wrote:
1;2401;0c>
> Hi,
>
> On Fri, Jul 9, 2010 at 12:28 PM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
> > Abstract namespace sockets are a fine choice for priviliged code that
> > runs so early at boot that no user could invade its namespace.
>
> No, it's not generally fine at all because said process might crash
> (or get nuked by the OOM killer or whatever) and then someone else
> could grab the socket. Of course you could say that anyone connecting
> to the socket needs to check the credentials of the other end but you
> could also just stop using the abstract namespace in the first place
> and avoid the problem earlier. Either way, please be careful saying
> things like this as people will end up doing it and then they have a
> potential security-problem on their hand. And lots of extra work to
> fix it.
Well, most of the really early usespace code is also kinda crucial for
the entire system. i.e. if systemd dies, the entire system is hosed. If
D-Bus dies, the entire system is hosed.
And again, since systemd can be used to reserve those sockets early on,
it is really a safe choice i believe -- only of course if you do things
properly.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the dbus
mailing list