Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]
- From: Artem Kachitchkine <Artem Kachitchkin Sun COM>
- To: Martin Pitt <martin piware de>
- Cc: David Zeuthen <david fubar dk>, utopia-list gnome org, Jeff Waugh <jdub perkypants org>, Kay Sievers <kay sievers vrfy org>
- Subject: Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]
- Date: Thu, 12 Jan 2006 08:41:20 -0800
I see. But this kind of circumventing user privileges (that is
traditionally defined in terms of group memberships and such) is
exactly the thing that makes an all-powerful hal so dangerous.
That's what has been tormenting me for weeks. As someone who has not
contributed code to hal (but about to), I feel I have no say in
fundamental issues like this and I am relieved to see this brought up
now. Privilege separation is very different from access control, D-BUS
can only provide the latter. In systems with explicit support for
privileges it's more obvious, although the principle applies to any
system, regardless of implementation.
E.g. in Solaris, the mount(2) syscall can be executed by euid!=0 code if
euid is granted mount privilege - that makes any suid-root mount
wrappers redundant (in general, the notion of a superuser is becoming
redundant). This is not to say policy-aware mount wrappers are
redundant, but with the way things are now, we'd have to disable mount
methods in Solaris and patch gnome-mount to invoke mount(1) instead of
methods (mount option limitations can also be built into privileges).
I would like to take this opportunity and ask to keep Linux-specific
assumptions to a minimum when thinking about HAL architecture. It will
not only benefit other OSes, but also benefit Linux in the future, as it
rapidly evolves.
-Artem.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]