Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]

[Artem Kachitchkine <Artem Kachitchkin Sun COM>]

> I see. But this kind of circumventing user privileges (that is
> traditionally defined in terms of group memberships and such) is
> exactly the thing that makes an all-powerful hal so dangerous.

That's what has been tormenting me for weeks. As someone who has not 
contributed code to hal (but about to), I feel I have no say in 
fundamental issues like this and I am relieved to see this brought up 
now. Privilege separation is very different from access control, D-BUS 
can only provide the latter. In systems with explicit support for 
privileges it's more obvious, although the principle applies to any 
system, regardless of implementation.

E.g. in Solaris, the mount(2) syscall can be executed by euid!=0 code if 
euid is granted mount privilege - that makes any suid-root mount 
wrappers redundant (in general, the notion of a superuser is becoming 
redundant). This is not to say policy-aware mount wrappers are 
redundant, but with the way things are now, we'd have to disable mount 
methods in Solaris and patch gnome-mount to invoke mount(1) instead of 
methods (mount option limitations can also be built into privileges).

I would like to take this opportunity and ask to keep Linux-specific 
assumptions to a minimum when thinking about HAL architecture. It will 
not only benefit other OSes, but also benefit Linux in the future, as it 
rapidly evolves.

-Artem.