Hi Richard, hi David! Richard Hughes [2006-01-12 12:22 +0000]: > On Thu, 2006-01-12 at 12:59 +0100, Martin Pitt wrote: > <snip> > > > (who still does not understand why everybody else seems to ignore > > dbus' wonderful way of separating privileges with dbus services and > > instead uses the old centralized daemon way.) > > Martin, do you mean like this: > > <policy user="0"> > <allow > send_interface="org.freedesktop.Hal.Device.SystemPowerManagement"/> > <allow send_interface="org.freedesktop.Hal.Device.LaptopPanel"/> > <allow send_interface="org.freedesktop.Hal.Device.Volume"/> > <allow send_interface="org.freedesktop.Hal.Device.Volume.Crypto"/> > </policy> > Or am I missing the point? This is an access control list, i. e. it controls who may access certain functions of hald. While that is an important feature, it is unrelated to the privilege separation goal I'm aiming at (ACLs do not help at all to mitigate security bugs in hald if hald runs as root). I was rather refering to a proper dbus service like RedHat did in Network Manager: the 'dhcdbd' backend is a dbus service which can be invoked from the user space. It is completely separate code, only has a very narrow interface, and does not require to run hald itself as root. On top of that it provides flexibility: you can install or remove it independently of hal. This is how it should be: only give privileges to parts that actually need it (a golden rule for a secure architecture). AFAICS this mechanism provides everything that is required for proper privilege separation, without the need of splitting hald into a root and non-root part. David, are there things that would be possible with that daemon split, but not with dbus services? Do you still want to get that split into hal? Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Attachment:
signature.asc
Description: Digital signature