TCP/IP transport status
Rémi Denis-Courmont
remi at remlab.net
Sat Jun 5 12:46:34 PDT 2010
Hello,
Le samedi 5 juin 2010 22:20:56 gillou.ray at free.fr, vous avez écrit :
> I'm planning to use d-bus with its TCP/IP transport. I red on the
> freedesktop wiki[0] that "it isn't tested in use and it has the
> problems of access control, lack of encryption, and inability to go
> through firewalls and NAT". However this statement was written in 2006
> [1]. I'm wondering if there would be any progress on this.
This is largely inherit to TCP itself. I fail to see how "progress" could be
made.
For encryption, you would need to run over TLS (or similar). Otherwise, anyone
who can see your IP packets can see your DBus messages. And for TLS, you need
a shared secret to bootstrap the cryptographic session. I assume nobody has
implemented this.
And then you need to ensure that there's no firewall or NAT on the way *to*
the DBus bus daemon. Alternatively, use SSH reverse TCP port forwarding.
> Also, could someone elaborate on the problems of access control ?
Through Unix sockets, UID credentials can be checked directly. There is no way
to do that with TCP. In fact, it would not even make sense across hosts, as
UID are scoped per systems (unless you use NIS or something like that).
--
Rémi Denis-Courmont
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis
More information about the dbus
mailing list