[Bug 171616] System of applications autorisation in kwallet

[Michael Leupold]

http://bugs.kde.org/show_bug.cgi?id=171616


Michael Leupold lemma confuego org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lemma at confuego.org




--- Comment #2 from Michael Leupold <lemma confuego org>  2008-10-28 09:23:14 ---
I agree with quite some of the things you mentioned:
Currently kwalletd is pretty insecure once it's opened. Also with most
installations of dbus the communication between kwalletd and applications using
it can be spyed upon (if eavesdropping is enabled for the session bus).

I don't see a solution in providing a system-wide kwalletd or having a
per-application wallet though because even like that the problem of
"authenticating" an application remains.

I've also come to the believe that dbus might not be the best way to provide an
interface for managing sensitive data due to aforementioned problems with how
it's currently deployed. There's also the problem that there's no guarantee if
dbus is running using local sockets (in which case kwalletd is able to find out
which PID is sending the request) or some other transport mechanism (like local
TCP sockets in which case there's no way to find out who's requesting the
password). A solution to this might be resorting to socket-only
communication...

I do however value your concerns and I'm thinking of ways to implement this
properly (and on as many operating systems as possible).


-- 
Configure bugmail: http://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.