D-Bus service activation and access control
thiago at kde.org
Fri Jul 28 15:56:54 UTC 2017
On Friday, 28 July 2017 04:16:21 PDT David Sommerseth wrote:
> What I wonder is if the session manager, being started via D-Bus
> activation, can it connect to a user's session bus?
It cannot. It doesn't even know the path and the user's session bus daemon
would reject the connection anyway for having the wrong UID.
> ** If system/session bus mixture approach is not viable
> For user specific configurations, could one alternative approach be to
> make use of the GCredentials API and "tag" configurations to a specific
> user on the configuration object ... and deny access if an invalid
> (read: unexpected) user attempts to access the configuration object?
Sounds like a good approach, though I have no idea what GCredentials is (I
assume something from glib).
> And will this work when the session manager is activated on the system
> bus by one user and accessed by another user? It is the session manager
> which connects to the configuration manager when retrieving the
> configuration data.
It will work because any system bus process specifies which user it runs under
in its .service file. Your manager will not use either user's UID, but one that
> ** Providing arguments to the D-Bus activated service
> Is it possible to provide arguments during the activation of a service?
As in command-line parameters? Yes, they come from the .service file.
> If the backends process could get the token value it needs to register
> with the session manager, the backend client process could also be D-Bus
> activated, with User=root. The token value does not need to be
> transported as a command line argument, the communication channel is not
> important in this case.
You can't pass tokens from D-Bus to the command-line. But the activation
itself is (usually) a method call, which means you can pass that token in
arguments to the call that is activating the service.
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
More information about the dbus