dbus / mbus (was Re: glib in kdesupport: yes or no?)
tim at tjansen.de
Tue Mar 11 19:52:58 GMT 2003
On Tuesday 11 March 2003 19:53, Maks Orlovich wrote:
> There are already solutions for this in i.e. Mandrake. Using nothing but
> simple scripting. There is no need for any sort of a system-wide bus for
> this, either, since the notifications are done by the root user, which can
> certainly become any user it wants to, IIRC.
Possible that somebody hacked some solution (i don't know Mandrake's), but
there should a single protocol for things like that.
> Interesting scenario, but this starts getting a security nightmare.
On the contrary: it is much more secure than the current solutions. Right now
if there is a security leak, for example a buffer overflow in the http
server, the attacker will get hold of the user's account. With the user's
permissions the attacker can read and delete all files of the user. This is
the worst thing that can happen on a typical desktop system that's used by a
If the server is run by a neutral user, like http, the attacker can only
access files with the http user, thus he can not access the user's files. The
only chance would be to find an additional security hole in the protocol
between the http server and the application. (Ideally the http server should
be chroot'ed to prevent it from accessing files that are readable by everyone
or from using root-exploits in set-uid programs).
> Do you really want to have your apache server running with httpd user
> permissions talking to your desktop? What is the security policy in this
> case? How do you limit the traffic you want from the traffic you don't?
This depends on the protocol. The http server should not be able to talk to
any other processes other than the ones that use it, and possibly talk only
to a limited set of objects (or whatever mechanism is used to address the
target of a RPC).
More information about the kde-core-devel