Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]

[Kay Sievers <kay sievers vrfy org>]

On Thu, Jan 12, 2006 at 12:59:41PM +0100, Martin Pitt wrote:
> Kay Sievers [2006-01-12 12:25 +0100]:
> > (You probably ask, cause Ubuntu has the weird idea of running HAL
> > unprivileged. 
> 
> It's not weird; letting the complete daemon run as root would make it
> the central point of attack and failure. We cannot support a
> distribution release for 3 or 5 with such a gaping potential source of
> vulnerabilities and problems.
> 
> We had this discussion several times ([1] is the last one known to
> me), and it seems that neither side can convince the other, so I do
> not see a point of these snide statements.

And we still expect your explanation of the attack vector. You _never_
answered this, and we asked you several times for it.

> (Also, it's not only Ubuntu; Debian has it, too, and running it
> unprivileged is even the upstream default up to now.)

Sure, that will probably change cause Red Hat and Novell don't use it
and do almost all development there. You can keep that as a out-of-tree
patch on-top.

> FWIW, I would happily accept the privilege separation architecture
> that was planned long ago. Matthew Garret and I talked about this
> yesterday, and I hope that I can find some time to actually implement
> it.

Nice, but please explain in detail the benefit of such an architecture,
with the current attack vectors and how such a change would solve it.

> (who still does not understand why everybody else seems to ignore
> dbus' wonderful way of separating privileges with dbus services and
> instead uses the old centralized daemon way.)

Yeah, "explain" instead of "wondering", and contribute stuff to solve
actual problems instead of insisting on feature crippling, for no
visible reason.

Kay