Label networks like MS (was Re: How about employing <anything>)

L A Walsh dbus at tlinx.org
Sat Oct 6 22:39:50 UTC 2018


On 8/1/2018 7:19 AM, Simon McVittie wrote:
> One of the major problems with a clustered setup is that you have to
> make assumptions about identity, security, and addressing resources. The
> assumptions that D-Bus traditionally made were the same as the assumptions
> under which NFSv3 was traditionally deployed:
>   
----
    Why are you making assumptions when the user can explicitly classify
a connection as private/public/corporate, etc...?

> * identity: numeric UIDs are shared (uid 1000 on each machine is the same)
> * security: only authorized machines have access to the LAN, and all
>   authorized machines are equally trusted to enforce identity (if one
>   machine says I am uid 1000, then I can be uid 1000 on all machines)
>   
    I have that on my internal Domain.
>
> However, these assumptions are fragile. In particular, if any unauthorized
> machine (including a phone, games console or smart-fridge) can join the
> LAN, then the security assumption is[may be] broken. As soon as one of those
> assumptions is broken, the setup as a whole is wrong; and we can't detect
> whether those assumptions are broken, so we can't even warn about that.
>   
====
    In particular, how do you plug your smartphone into a wired connection
that goes from computer-to-computer with no intervening switches.  I've 
yet to
see a smartphone come with a vampire tap.

    In any event, as soon as they plugin, they'll be seen as a new MAC on
the net, presumably looking an address and route.  A secured network 
isn't likely to give them anything useful.

>   
>>    Fortunately, at least some of those with secure networks aren't really
>> demanding all the wizz-bangs that would be needed in a hostile environment.
>>     
>
> That's fine up to a point, but dbus-daemon can't tell the difference
> between your secure network, my local coffee shop's hostile environment,
> and Jeep's expensive recall. 
    MS networks are labeled.  Why not linux networks?
> Experience demonstrates that, unfortunately,
> anything that is possible will tend to be treated as fully supported,
> and not making insecure configurations harder to achieve seems like an
> abdication of responsibility.
>   
----
    MS doesn't take that attitude.  Why should linux?  Why do you
treat linux users as being more stupid and less responsible than
MS users?




More information about the dbus mailing list