dbus / mbus (was Re: glib in kdesupport: yes or no?)

[Tim Jansen]

On Tuesday 11 March 2003 19:53, Maks Orlovich wrote:
> There are already solutions for this in i.e. Mandrake. Using nothing but
> simple scripting. There is no need for any sort of a system-wide bus for
> this, either, since the notifications are done by the root user, which can
> certainly become any user it wants to, IIRC.

Possible that somebody hacked some solution (i don't know Mandrake's), but 
there should a single protocol for things like that.


> Interesting scenario, but this starts getting a security nightmare. 

On the contrary: it is much more secure than the current solutions. Right now 
if there is a security leak, for example a buffer overflow in the http 
server, the attacker will get hold of the user's account. With the user's 
permissions the attacker can read and delete all files of the user. This is 
the worst thing that can happen on a typical desktop system that's used by a 
single person.
If the server is run by a neutral user, like http, the attacker can only 
access files with the http user, thus he can not access the user's files. The 
only chance would be to find an additional security hole in the protocol 
between the http server and the application. (Ideally the http server should 
be chroot'ed to prevent it from accessing files that are readable by everyone 
or from using root-exploits in set-uid programs).

> Do you really want to have your apache server running with httpd user
> permissions talking to your desktop? What is the security policy in this
> case? How do you limit the traffic you want from the traffic you don't?  

This depends on the protocol. The http server should not be able to talk to 
any other processes other than the ones that use it, and possibly talk only 
to a limited set of objects (or whatever mechanism is used to address the 
target of a RPC).

bye...