Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933023AbbDVCco (ORCPT <rfc822;w@1wt.eu>);
	Tue, 21 Apr 2015 22:32:44 -0400
Received: from mail-ig0-f173.google.com ([209.85.213.173]:34837 "EHLO
	mail-ig0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756783AbbDVCcm (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 21 Apr 2015 22:32:42 -0400
MIME-Version: 1.0
In-Reply-To: <CALCETrX+z2xqvpG=UHm5JoA_dSupug9fwphkKR3YYy8FdXivFA@mail.gmail.com>
References: <20150413190350.GA9485@kroah.com>
	<8738434yjk.fsf@x220.int.ebiederm.org>
	<87lhhv36je.fsf@x220.int.ebiederm.org>
	<20150414175534.GB3974@kroah.com>
	<87oamhmbso.fsf_-_@x220.int.ebiederm.org>
	<CA+55aFwqhbN=1Tm71AFHtXeOUut5gcLpqRmH=6R1H92grDsVrw@mail.gmail.com>
	<CALCETrX+z2xqvpG=UHm5JoA_dSupug9fwphkKR3YYy8FdXivFA@mail.gmail.com>
Date: Tue, 21 Apr 2015 19:32:42 -0700
X-Google-Sender-Auth: Hqp6zGqec8PQlsKAkvDCFRKoPqw
Message-ID: <CA+55aFzL22XjeyPuapc+mYe1fEco8ZY7doJzSF9vPLwGU9taXA@mail.gmail.com>
Subject: Re: Issues with capability bits and meta-data in kdbus
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        Tom Gundersen <teg@jklm.no>, Jiri Kosina <jkosina@suse.cz>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Daniel Mack <daniel@zonque.org>,
        David Herrmann <dh.herrmann@gmail.com>,
        Djalal Harouni <tixxdz@opendz.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2123
Lines: 49

On Tue, Apr 21, 2015 at 6:54 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>
> If kdbus were a general purpose IPC tool

 .. but it's not ..

>                                     and if the libraries would
> expose nice knobs like "set this flag if and only if you want to
> assert CAP_WHATEVER to the server", then maybe this would be okay.

I really don't agree.

The whole notion that you should be able to be anonymous when
communicating is *wrong*.

Now, when you talk across machines using TCP, there's no identity that
you can trust, so anonymity is kind of enforced. But locally, if you
want to connect with somebody else, I actually think that tryin gto be
anonymous is just stupid - and more than that - plain wrong.

Yeah, if you do a pipe, that's one thing. You don't "connect" to
somebody else with a pipe, you just create both end points. So there
is little point in having identifying information for pipes. But when
you connect to a service, it just *makes sense* for the other end to
know about you. They should know your user ID, they should know your
identity (pid or whatever), and they should know your capabilities.

If you don't want that, then you use some anonymizing service, and it
because *your* problem. But a server that gets connected by different
people should know who it gets connected by.

Unix domain sockets simply got this wrong.

I don't think thi sis the problem of kdbus. There may be *other&*
problems, but I think it's very reasonable to just have as a basic
*requirement* that when you get connected, you get to know who
connects you, and what their rights are. Because it really *is*
something fundamental, and something important to know. Is it some
random nobody, or is it a system service?

If I was a service writer, that would be *the* most basic requirement
I would have. No ifs, buts or maybes about it.

           Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/