On Mon, Feb 12, 2007 at 03:17:02PM -0500, David Zeuthen wrote: > > with the same uid to access and use. Its nerf security. > > I never claimed it provided security. You will be able to copy > XDG_SESSION_COOKIE from your other processes and that's fine. Just keep > in mind it's easier to just run VNC than copying it around. That bit is really important. If your session cookie is just a non security helper object then you don't need to do sick hacks grovelling around in other processes environment (which isnt safe). You can pass the session id explicitly. The other end knows the uid so can validate the session id with respect to the user. Keep it in the environment but pass it and don't do sick /proc hacks. Use kerberos keys (See below) and it gets kind of hard to pass fake keys too. > However if we used something else than XDG_SESSION_COOKIE, like tagging > a process with a secret cookie that only privileged processes can > read/write it would provide real security. Only in some very narrow cases. If power is acquired through posession of a key then your security boundary is uid. Even if only a privileged process can read or write the key, the mere possession case applies as I can modify any executable I own, or any running image I own. More seriously the moment you want to deal in passing secure secret cookies around and using them as authentication tokens you are doing Kerberos, the difference being MIT has spent years making it secure and doing the crypto right. You can (and IMHO should) look seriously at this point at having the objects you pass explicitly being kerberos keys. At that point all the existing kerberos single sign on, web authentication of services by keys and desktop will be using the very same authority objects, and those objects are directly bindable to NFSv4 for file serving, cryptographically sound and already supported by things like ssh and our tools and libraries. Kerberos is a cross system, cross architecture, cross platform and a standard so its ideal with a "Gnome is not Linux" hat on too. There are some other things kerberos gives you that are powerful too, such as constructs like key granting tickets so you can build heirarchies. Alan -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
