Some privilege reduction patches

Artem Kachitchkine Artem.Kachitchkin at Sun.COM
Sat Feb 18 12:11:49 PST 2006


>>Last, a question: do you have any prefered strategy how to implement
>>sanity checking in the hal-system-storage-* scripts? We don't
>>currently ship them since they do not do any checking on their own
>>(they just use the hal properties, which are unreliable in the current
>>trust model). So, if the privilege separation code should have any
>>sense, all callouts have to do input sanity checking on their own. I
>>would like to work on this if you want, I just want to make sure that
>>nobody else does ATM.

This sounds alarming. I mean, sanity checks are not a substitute. At the levels 
below hald, the system device information and the fdi files are also trusted. 
Above hald, we only allow SetProperty() for privileged callers, and we trust 
D-BUS to reliably authenticate callers. No user is allowed to log in or run 
processes as hal's user/group. Any of these assumptions are wrong or am I 
missing something?

-Artem.


More information about the hal mailing list