On Sat, 2007-12-08 at 01:05 +0100, Olivier Galibert wrote: > On Fri, Dec 07, 2007 at 01:28:24PM -0500, David Zeuthen wrote: > > > > On Fri, 2007-12-07 at 12:53 -0500, Dan Williams wrote: > > > I'm perfectly fine with pushing out the information in the D-Bus signal. > > > > There may be security risks in doing this; a malicious unprivileged > > process can easily listen for these things and abuse the information. > > A user process can listen in on root-root dbus communications? Anything that can get on the bus gets signals. And most anything can get on the bus, by design, otherwise D-Bus would be pretty useless. What you _can't_ do most of the time is claim a bus name for yourself and provide a service, unless you're specifically authorized to do so by a config file in /etc/dbus-1/system.d or the session bus config dir. And services can specify what can and cannot call their _methods_, but signals are broadcast and readable by everyone by design. The most security paranoid model would have NM pushing the config information to the caching nameserver directly with method calls, because those aren't broadcast on the bus like signals are. But that removes a lot of utility and is a lot more code. It may be that we just have to audit the list of options and whitelist or blacklist certain things from being exposed over the D-Bus interface. Dan -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
