Re: New modules in 2.14



On Wed, 2006-01-18 at 10:58 -0500, Ryan Lortie wrote:
> This is exactly the problem.  In order for g-p-m to do its stuff we have
> to add to HAL the ability for any user to say "suspend the system
> now" (since g-p-m needs to do this and it's just running as a normal
> user).  If any user can say "suspend now" then I can be logged in as a
> background user and play nasty tricks on the console user.  

Tell me how the desktop piece that talks to the system daemon in your
proposal isn't vulnerable in this case? Because you need this to e.g.
tell the system daemon that your session is idle and it's time to
suspend to save battery...

You know... A smart guy once told me that once you can run code on a
victims machine you've already won. In this case we limit this to being
able to suspend the machine. Also, if you use SELinux you can even limit
this since you'll only allow /usr/bin/gnome-power-manager to do this.

Don't you think there are far worse destructive things you could do if
you could run code in a console session? Like.. silently just log
key-strokes?

> HAL
> currently has no mechanism for making a distinction between background
> users and the user that currently 'controls' the machine.

This is a missing feature in D-BUS. See my proposal about ConsoleTracker
at http://blog.fubar.dk/?p=63 and on the D-BUS mailing list on how to
deal with this. Someone just needs to write the code.

Oh, it's also a corner case.

> When you add additional privileges to HAL you also increase the chance
> that someone is able to exploit a security hole in HAL itself.  Martin
> Pitt, for example, has ranted about this at length because it's not a
> good idea (and even found some security problems to validate his
> concerns).

Don't forget to say that Martin and I agree what needs to be done to
make us both feel comfortable about this.

Oh, btw, I can assure you that HAL will grow more functional and provide
more and more methods to make things easier (next up is providing
Format() and PartitionDisk() methods). It's just stupid to create a
system daemon for every conceivable case where you need privileges. We
have a simple and secure framework to easily do this in HAL. Saying it's
"not a good idea" is.. well.. let's just say I disagree :-)

    David





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]