|
|
Log in / Subscribe / Register

Re: Issues with capability bits and meta-data in kdbus

[Posted April 22, 2015 by corbet]

From:  Linus Torvalds <torvalds-AT-linux-foundation.org>
To:  Andy Lutomirski <luto-AT-amacapital.net>
Subject:  Re: Issues with capability bits and meta-data in kdbus
Date:  Tue, 21 Apr 2015 19:32:42 -0700
Message-ID:  <CA+55aFzL22XjeyPuapc+mYe1fEco8ZY7doJzSF9vPLwGU9taXA@mail.gmail.com>
Cc:  "Eric W. Biederman" <ebiederm-AT-xmission.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Andrew Morton <akpm-AT-linux-foundation.org>, Arnd Bergmann <arnd-AT-arndb.de>, One Thousand Gnomes <gnomes-AT-lxorguk.ukuu.org.uk>, Tom Gundersen <teg-AT-jklm.no>, Jiri Kosina <jkosina-AT-suse.cz>, Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>, Daniel Mack <daniel-AT-zonque.org>, David Herrmann <dh.herrmann-AT-gmail.com>, Djalal Harouni <tixxdz-AT-opendz.org>
Archive‑link:  Article

On Tue, Apr 21, 2015 at 6:54 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>
> If kdbus were a general purpose IPC tool

 .. but it's not ..

>                                     and if the libraries would
> expose nice knobs like "set this flag if and only if you want to
> assert CAP_WHATEVER to the server", then maybe this would be okay.

I really don't agree.

The whole notion that you should be able to be anonymous when
communicating is *wrong*.

Now, when you talk across machines using TCP, there's no identity that
you can trust, so anonymity is kind of enforced. But locally, if you
want to connect with somebody else, I actually think that tryin gto be
anonymous is just stupid - and more than that - plain wrong.

Yeah, if you do a pipe, that's one thing. You don't "connect" to
somebody else with a pipe, you just create both end points. So there
is little point in having identifying information for pipes. But when
you connect to a service, it just *makes sense* for the other end to
know about you. They should know your user ID, they should know your
identity (pid or whatever), and they should know your capabilities.

If you don't want that, then you use some anonymizing service, and it
because *your* problem. But a server that gets connected by different
people should know who it gets connected by.

Unix domain sockets simply got this wrong.

I don't think thi sis the problem of kdbus. There may be *other&*
problems, but I think it's very reasonable to just have as a basic
*requirement* that when you get connected, you get to know who
connects you, and what their rights are. Because it really *is*
something fundamental, and something important to know. Is it some
random nobody, or is it a system service?

If I was a service writer, that would be *the* most basic requirement
I would have. No ifs, buts or maybes about it.

           Linus

to post comments


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds