Hi David! David Zeuthen [2006-01-12 9:55 -0500]: > There may be a few cases (reading battery info comes to mind) where we > need to clean this up too; that's all part of the work of separating > hald into two processes - the unprivileged one handling D-BUS requests > and the uid 0 one that executes helpers. Sounds fine. I didn't think about the design so far, and I'm not intimately familiar with the guts of hal, but does that essentially boil down to changing hal_util_helper_invoke_with_pipes() to not exec() the helper, but instead send a dbus message to the privileged process? It should also be decided what is better: forking() hald at the start (which would make startup easy, but operation less robust since in principle all the code would still be present in the root daemon), or a completely separate code base (easier to audit and more robust, but more problems with startup), or a hybrid solution (fork/exec the unprivileged instance from the privileged one). Personally I'd do the last option; David, what do you think? > Don't you think this is nicer, we get less code running at uid 0 > which is always good even if there are no real threats (still I'm > waiting for Martin to point those out). http://lists.freedesktop.org/archives/hal/2006-January/004240.html http://bugzilla.gnome.org/show_bug.cgi?id=324207 Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Attachment:
signature.asc
Description: Digital signature