Re: hal privileges [was: Re: [Utopia] gnome-mount 0.3 is out]




I see. But this kind of circumventing user privileges (that is
traditionally defined in terms of group memberships and such) is
exactly the thing that makes an all-powerful hal so dangerous.

That's what has been tormenting me for weeks. As someone who has not contributed code to hal (but about to), I feel I have no say in fundamental issues like this and I am relieved to see this brought up now. Privilege separation is very different from access control, D-BUS can only provide the latter. In systems with explicit support for privileges it's more obvious, although the principle applies to any system, regardless of implementation.

E.g. in Solaris, the mount(2) syscall can be executed by euid!=0 code if euid is granted mount privilege - that makes any suid-root mount wrappers redundant (in general, the notion of a superuser is becoming redundant). This is not to say policy-aware mount wrappers are redundant, but with the way things are now, we'd have to disable mount methods in Solaris and patch gnome-mount to invoke mount(1) instead of methods (mount option limitations can also be built into privileges).

I would like to take this opportunity and ask to keep Linux-specific assumptions to a minimum when thinking about HAL architecture. It will not only benefit other OSes, but also benefit Linux in the future, as it rapidly evolves.

-Artem.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]