[packagekit] Debconf and PackageKit Was Re: Packagekit and Ubuntu
James Westby
jw+debian at jameswestby.net
Wed Feb 10 08:42:36 PST 2010
On Tue, 9 Feb 2010 15:06:49 +0000, Colin Watson <cjwatson at ubuntu.com> wrote:
> We're assuming here that the transaction-id is secret, I think, because
> the point is that the rootly debconf can talk to an object on the system
> bus whose path is constructed using the transaction-id, and be sure that
> that object was started by the PackageKit client. Is that assumption
> sound?
I'm not sure that it is.
Anything can see the list of transaction ids by querying DBus, and could
then race with the owning process to register with o.d.Debconf for that
transaction id.
Therefore if we want to do registration then we have to use a nonce in
the transaction that isn't exposed over DBus.
Richard didn't like registration though, so what are the alternatives:
* the backend gets told which DBus name owns the transaction and can
then call methods on it directly.
- This has the advantage that there is less code, but it does limit
us to doing all debconf prompting in-process.
* the transaction id could be used, but we use information available
on DBus to restrict who can register for a given transaction. For
instance the uid of the process must be the same as the uid of the
process that started the transaction (and the same pid if we
desire).
- This again is quite simple, but I'm not sure whether there are
concerns about malware in the user's session interfering. Given that
they could generally hijack the process and steal the nonce in that
approach I'm not sure that this is a worry.
Thanks,
James
More information about the PackageKit
mailing list