serge.hallyn at ubuntu.com
Fri Dec 13 19:02:12 PST 2013
Quoting Lennart Poettering (mzqohf at 0pointer.de):
> On Fri, 13.12.13 14:19, Serge Hallyn (serge.hallyn at ubuntu.com) wrote:
> > > > The goal of doing this is not to authenticate the client, but to
> > > > pass pids and uids across namespaces and have the kernel translate
> > > > them. So the cred sent along with the null byte is akin to what I
> > > > need, but it's not what I need.
> > >
> > > I am pretty sure it would be wrong to have something like this as data
> > > type. This data should be appended implicitly, not explicitly.
> > It can't be done implicitly, though, since dbus doesn't know which
> > ucred I want to send. I'm not authenticating as that task, I just need
> > an unambiguous namespace-independent identifier for it.
> What is your goal with that, and why do you think that D-Bus should
> solve this for you?
To have one daemon on the host, serving over a unix socket which gets
bind-mounted into containers. Tasks in containers make requests
using the pids and uids they know.
> If you need to be able to translate PIDs or UIDs between namespaces,
> then maybe add some facility to th kernel that allows that, but I fail
> to see why D-Bus should bother doing that for you?
No new facility is needed - it exists. (Well, eventually I'll likely
work on an extension of it, but that's all in the kernel) The only thing
I'm asking DBus to do is to let me send a struct ucred (that I fill in)
as an SCM_CRED, just as it lets me send a unix fd.
I can get the connection's socket fd and pass SCM_CREDS myself, just as
I could get the fd and pass files that way, but it'd be nicer to be
able to attach them to a dbus message.
> And how would D-Bus even translate those PIDs if they are in the payload?
It wouldn't, the kernel does that.
More information about the dbus