Starting the kdbus discussions
Lennart Poettering
mzqohf at 0pointer.de
Fri Jan 3 15:01:10 PST 2014
On Fri, 03.01.14 12:45, Simon McVittie (simon.mcvittie at collabora.co.uk) wrote:
>
> On 02/01/14 19:40, Colin Walters wrote:
> > Right, that is a serious concern. Enough to make me wonder if GLib
> > should have G_BUS_TYPE_KSYSTEM for example.
>
> I think something like this is the only way this can possibly be
> functional and secure. G_BUS_TYPE_SYSTEM_UNTRUSTED, perhaps?
This sounds like the best option to me (at least of those we have seen
so far).
> > Perhaps an alternative is that if *any* files are installed
> > in /etc/dbus-1/system.d that perform access control, then kdbus is
> > disabled? Ugly still.
>
> I don't think that works. The system bus is default-deny: every service
> that does not hard-depend on kdbus *must* install policy XML, otherwise
> it will be non-functional. Installing more policy XML punches *more*
> holes in the secure, but non-functional, default-deny policy.
>
> Assuming that system services want to be able to upgrade from a dbus
> environment to a kdbus environment without a distro-wide flag day,
> they'll need to keep installing their policy XML until they no longer
> support *upgrading from* non-kdbus systems.
Yes. Also, we need to support that people install these "legacy" apps
during runtime. And what do you do then... Switch back to dbus-daemon
during runtime? ....
Lennart
--
Lennart Poettering, Red Hat
More information about the dbus
mailing list