[RFC] Patch to allow a DBusConnection to be recreated from an fd

Wed Mar 6 05:53:52 PST 2013

On Tue, 05.03.13 20:40, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:

> 
> On 05/03/13 19:26, Thiago Macieira wrote:
> > I don't see any harm in obtaining the connection 
> > address, and I do think that creating a connection from an already-opened file 
> > descriptor could be very useful. For example, some pre-handshake could be 
> > performed on that file descriptor, or it could be transported over something 
> > different.
> 
> If we go this route, I'd prefer it to be its own transport similar to
> unixexec - "unixfd:fd=3,state=before_0" or something - rather than
> introducing open_from_fd(), which appears to mean "ignore the address
> parameter and use this fd instead, hopefully they match". It should have
> the same "it's really a socket, not something weird like a pair of
> pipes" property as unixexec.
> 
> In fact, I think this is how unixexec should have worked all along -
> then we wouldn't have unixexec's rather unfortunate security properties
> ("if you can tell someone a D-Bus address to connect to, you can make
> them execute code").
> 
> The states through which a D-Bus connection goes are approximately:
> 
> * before initial '\0'
> * after initial '\0' but before SASL (x)
> * during SASL (x)
> * after SASL but before Hello
> * Hello sent, reply with unique name not received (x)
> * between messages
> * during an incoming or outgoing message (x)
> 
> (at the points marked (x), handing off the connection makes little
> sense; included for completeness).

Doing just the from_fd() thingy, without the state thingy sounds OK to
me. But the state thingy really sounds like a bad idea, because you then
create the impression this would actually work, but it wouldn't due to
the incomplete messages problem. Or would you then start serializing the
incompletely read messages into the connection string, too? That sounds
really wrong to me.

I'd be very very careful with this state thing, it creates the
assumption by people, that this could work, even though it couldn't.

The from_fd() thing without the state stuff would then only be useful
before any traffic is actually exchanged over the fd, and it wouldn't
solve James' problem, but it might be useful.

That said, I am pretty sure we should avoid adding any new APIs unless
there's a real user for them. Since James' problem wouldn't be fixed
this way I don't see an real user, so I'd just forget about the whole
thing.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.