Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161280AbaJ3WBW (ORCPT ); Thu, 30 Oct 2014 18:01:22 -0400 Received: from mail-la0-f53.google.com ([209.85.215.53]:37896 "EHLO mail-la0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161035AbaJ3WBU (ORCPT ); Thu, 30 Oct 2014 18:01:20 -0400 MIME-Version: 1.0 In-Reply-To: References: <1414620056-6675-1-git-send-email-gregkh@linuxfoundation.org> <1414620056-6675-9-git-send-email-gregkh@linuxfoundation.org> <8738a6w6kv.fsf@x220.int.ebiederm.org> <20141030095854.GA4716@dztty> <87wq7hiwjb.fsf@x220.int.ebiederm.org> <20141030144855.GA9705@dztty> <20141030180813.GA11850@dztty> From: Andy Lutomirski Date: Thu, 30 Oct 2014 15:00:57 -0700 Message-ID: Subject: Re: kdbus: add code for buses, domains and endpoints To: Alex Elsayed Cc: Linux API , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 30, 2014 at 2:47 PM, Alex Elsayed wrote: > Andy Lutomirski wrote: > >> On Thu, Oct 30, 2014 at 11:08 AM, Djalal Harouni >> wrote: >>> Hi Andy, >>> >>> 2) To get the creds of the sender of the message during send time. This >>> is specially relevent to authorize specific D-Bus method calls, by >>> checking the creds of the caller, not the one who created the kdbus >>> connection. >> >> Please humor me here: can you describe, concretely, a case where >> authorization of the principal issuing a method call is more correct >> than authorization of the principal who connected to the object being >> acted on? >> >> I suspect that such examples are actually quite difficult to find. >> >> --Andy > > The simple answer is that this is a misaimed question - you don't connect to > the object being acted on. > > You connect to the _same bus_ as other clients have connected to. You then > act on objects they have made available on the bus. > > You might have connected to a restricted endpoint, which provides a narrowed > view of the bus, but that's neither the same thing nor mandatory. OK, but this doesn't answer the question. It is not an example of a case where checking credentials at the time of connection to the bus is actually worse from a security standpoint than checking for credentials at the time of the send. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/