Re: Followup: opinions on Search services

From: Peter Wainwright <prw ceiriog1 demon co uk>
To: gnome-devel-list gnome org
Subject: Re: Followup: opinions on Search services
Date: Thu, 12 May 2005 18:46:31 +0100

On Tue, 2005-05-10 at 16:56 -0500, Manuel Amador wrote:
> El mar, 26-04-2005 a las 23:32 -0400, Joe Shaw escribió:
> > Hi,
> > 
> > On Tue, 2005-04-26 at 18:22 -0500, Manuel Amador wrote:
> > > Oh, this is good.  Any plans to moving to a system-wide daemon model?
> > 
> > Moving to a solely system-wide model?  No.  The security implications of
> > a daemon running as root that monitors all the files on the system can
> > get hairy.  If you keep it per-user, then the security is fairly simple
> > filesystem permissions.

I don't see how you can run a per-user daemon without causing huge
wastage on a multi-user system.  How does slocate do it? a system-wide
search that inserts security permissions in a database and then
respects 
them when responding to queries?  That is probably the way to go, even 
if it is difficult to get right.  You will probably need some separation
of permissions in the setgid (or setuid) client part to keep the 
dangerous stuff simple.

Peter Wainwright

> 
> But, you know, you could fork and setuid()/setgid() to the calling user
> right before performing searches or other user-requested actions.
> 
> > 
> > That said, there is a lot to be gained by having a shared store for a
> > lot of interesting, publicly available system-wide data.  Things like
> > launchers, man pages, etc. are definitely useful to the user.  Right now
> > we're indexing those for each user, but this is obviously suboptimal.
> > We don't have a concrete plan for this right now, but there are a few
> > options: we could have an instance of the daemon running as user nobody
> > which monitors some interesting directories (like the man paths); we
> > could have a shared read-only index crawler ala updatedb run once a day
> > or so.  But it's not something we've sat down and prototyped or
> > investigated in depth yet.
> 
> You could also have a multiple-responsibility model: an indexer running
> as root (which is the only part in the model that would be vulnerable,
> and thus SS chose a managed language to write this in), a search daemon
> which downgrades its security credentials upon search.  Postfix
> successfully uses this model.
> 
> > 
> > Joe
-- 
Peter Wainwright <prw ceiriog1 demon co uk>

Follow-Ups:
- Re: Followup: opinions on Search services
  - From: John (J5) Palmieri
- Re: Followup: opinions on Search services
  - From: Behdad Esfahbod
- Re: Followup: opinions on Search services
  - From: Manuel Amador

References:
- Re: Followup: opinions on Search services
  - From: Manuel Amador

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]