Starting the kdbus discussions

Lennart Poettering mzqohf at 0pointer.de
Fri Jan 3 15:01:10 PST 2014


On Fri, 03.01.14 12:45, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:

> 
> On 02/01/14 19:40, Colin Walters wrote:
> > Right, that is a serious concern.  Enough to make me wonder if GLib
> > should have G_BUS_TYPE_KSYSTEM for example.
> 
> I think something like this is the only way this can possibly be
> functional and secure. G_BUS_TYPE_SYSTEM_UNTRUSTED, perhaps?

This sounds like the best option to me (at least of those we have seen
so far).

> > Perhaps an alternative is that if *any* files are installed
> > in /etc/dbus-1/system.d that perform access control, then kdbus is
> > disabled?  Ugly still.
> 
> I don't think that works. The system bus is default-deny: every service
> that does not hard-depend on kdbus *must* install policy XML, otherwise
> it will be non-functional. Installing more policy XML punches *more*
> holes in the secure, but non-functional, default-deny policy.
> 
> Assuming that system services want to be able to upgrade from a dbus
> environment to a kdbus environment without a distro-wide flag day,
> they'll need to keep installing their policy XML until they no longer
> support *upgrading from* non-kdbus systems.

Yes. Also, we need to support that people install these "legacy" apps
during runtime. And what do you do then... Switch back to dbus-daemon
during runtime? ....

Lennart

-- 
Lennart Poettering, Red Hat


More information about the dbus mailing list