Some privilege reduction patches
Artem Kachitchkine
Artem.Kachitchkin at Sun.COM
Sat Feb 18 12:11:49 PST 2006
>>Last, a question: do you have any prefered strategy how to implement
>>sanity checking in the hal-system-storage-* scripts? We don't
>>currently ship them since they do not do any checking on their own
>>(they just use the hal properties, which are unreliable in the current
>>trust model). So, if the privilege separation code should have any
>>sense, all callouts have to do input sanity checking on their own. I
>>would like to work on this if you want, I just want to make sure that
>>nobody else does ATM.
This sounds alarming. I mean, sanity checks are not a substitute. At the levels
below hald, the system device information and the fdi files are also trusted.
Above hald, we only allow SetProperty() for privileged callers, and we trust
D-BUS to reliably authenticate callers. No user is allowed to log in or run
processes as hal's user/group. Any of these assumptions are wrong or am I
missing something?
-Artem.
More information about the hal
mailing list