On Thu, Oct 30, 2014 at 2:47 PM, Alex Elsayed <eternaleye@xxxxxxxxx> wrote: > Andy Lutomirski wrote: > >> On Thu, Oct 30, 2014 at 11:08 AM, Djalal Harouni >> <tixxdz@xxxxxxxxxx> wrote: >>> Hi Andy, >>> >>> 2) To get the creds of the sender of the message during send time. This >>> is specially relevent to authorize specific D-Bus method calls, by >>> checking the creds of the caller, not the one who created the kdbus >>> connection. >> >> Please humor me here: can you describe, concretely, a case where >> authorization of the principal issuing a method call is more correct >> than authorization of the principal who connected to the object being >> acted on? >> >> I suspect that such examples are actually quite difficult to find. >> >> --Andy > > The simple answer is that this is a misaimed question - you don't connect to > the object being acted on. > > You connect to the _same bus_ as other clients have connected to. You then > act on objects they have made available on the bus. > > You might have connected to a restricted endpoint, which provides a narrowed > view of the bus, but that's neither the same thing nor mandatory. OK, but this doesn't answer the question. It is not an example of a case where checking credentials at the time of connection to the bus is actually worse from a security standpoint than checking for credentials at the time of the send. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
