On Fri, 2005-03-04 at 20:36 +0100, Kyrre Ness Sjobak wrote: > > But as this system grows, and more and more apps hook up - what are the > exploitation risks? Could one f.ex. buffer overflow a privilegued app > trough the dbus "network"? Which/what kind of services will be turned on > by default in future fedora installations? Ofcource, having > NetworkManager running on a shell server would be a problem so > NetworkManager would probably never be turned on by default, but where > are the border cases? There's certainly security here to think about. dbus provides fairly fine-grained firewall-style functionality, plus the selinux integration, but in the end a system daemon that takes requests via dbus has to be written with security in mind. dbus can guarantee that the daemon only gets messages of type foo with arguments a, b, c of types string, int, double; but the daemon is responsible for ensuring that it won't crash if the int is set to INT_MAX or whatever. Basically dbus handles a lot of the parsing/authentication/connection-establishing sort of issues but the app still has to validate that data is within expected parameters. Keep in mind that dbus has two separate running processes, one is the systemwide used to talk to system daemons, the other is just running as the user within the user's session like any other app. Havoc
