[packagekit] Debconf and PackageKit Was Re: Packagekit and Ubuntu

James Westby jw+debian at jameswestby.net
Wed Feb 10 08:42:36 PST 2010

On Tue, 9 Feb 2010 15:06:49 +0000, Colin Watson <cjwatson at ubuntu.com> wrote:
> We're assuming here that the transaction-id is secret, I think, because
> the point is that the rootly debconf can talk to an object on the system
> bus whose path is constructed using the transaction-id, and be sure that
> that object was started by the PackageKit client.  Is that assumption
> sound?

I'm not sure that it is.

Anything can see the list of transaction ids by querying DBus, and could
then race with the owning process to register with o.d.Debconf for that
transaction id.

Therefore if we want to do registration then we have to use a nonce in
the transaction that isn't exposed over DBus.

Richard didn't like registration though, so what are the alternatives:

  * the backend gets told which DBus name owns the transaction and can
    then call methods on it directly.
    - This has the advantage that there is less code, but it does limit
      us to doing all debconf prompting in-process.

  * the transaction id could be used, but we use information available
    on DBus to restrict who can register for a given transaction. For
    instance the uid of the process must be the same as the uid of the
    process that started the transaction (and the same pid if we
    - This again is quite simple, but I'm not sure whether there are
    concerns about malware in the user's session interfering. Given that
    they could generally hijack the process and steal the nonce in that
    approach I'm not sure that this is a worry.



More information about the PackageKit mailing list