Pluggable auth modules
Pavel Strashkin
pavel.strashkin at gmail.com
Wed Jun 1 12:34:25 PDT 2011
2011/6/1 David Zeuthen <zeuthen at gmail.com>:
>
> FWIW, GDBus has pluggable authentication mechanisms too but it is not
> exposed in any public API (much like libdbus-1's aren't) - partly
> because I wasn't happy about the API of it - partly because I don't
> want to encourage people writing new auth mechanisms.
>
Wow! Why not? I mean it depends on people, not you. I believe there
are a lot of companies (like where i'm working) which use dbus for
their
purposes (heavy-traffic, many connections, remote-remote, tcp/ip, not
just minor stuffs like signals from NetworkManager) and they want more
flexibility,
but don't ask about it here, in the mail list. Pluggable auth modules
isn't a big deal and as i said - it's only single factory function
which returns existen
structure.
>
> My view is pretty simple, BTW: applications should authenticate the
> connection itself before using it for any D-Bus traffic and then just
> use the D-Bus ANONYMOUS authentication method. This would include e.g.
> checking certificates if it's a TLS connections or some proprietary
> exchange. Or whatever. In GDBus that's easy to do, see
>
> http://developer.gnome.org/gio/unstable/GDBusConnection.html#g-dbus-connection-new
>
> since you can do this on any GIOStream to create a GDBusConnection.
>
Hm...i like this way, but! I don't want to reinvent the wheel. DBus
already has its own command sequence to do auth setup, so
why just don't reuse it by putting hooks for each command how it's
already done in dbus-auth.c? Client/service isn't a problem - you have
an access to
the code because you're owner, but what about server (dbus-daemon)?
How can i say to this guy which auth use? "g-dbus-connection-new"
doesn't solve
this problem too. With pluggable auth modules you can just compile
your library, put it into specific dir and that's all.
Server/client/service will use it automatically.
Let's discuss it more, pluses/minuses, because right now i don't see
the real NO why we can't do it (ABI isn't changed, 100%
backward-compatibility, good feature), only time and i agree to spend
my own.
P.S. allow to create dbus connection from any file-descriptor is
awesome! Why nobody asked about this before? Do you create an issue on
bugzilla?
More information about the dbus
mailing list