[Dev] Tizen 3.0 proposal for fixing OSP/WRT/Core hard-coded UID issue

Jussi Laako jussi.laako at linux.intel.com
Mon Oct 14 09:22:00 GMT 2013


On 12.10.2013 1:16, Stéphane Desneux wrote:
> If we don't want to set a static address for the dbus session address
> (would it be a security hole ?), it may even be more tricky: the DBUS
> session address will be set when libdbus forks dbus--session, i.e. when
> the first dbus app will start. From a security POV, I prefer random
> sockets but it's even harder to define what's the correct environment to
> paste into the application process.

No, dbus session bus daemon should be started explicitly at session 
creation (like on desktops) and it will generate a random address which 
then gets set to the environment.

Now the environment seen by the dbus-daemon and any services launched by 
it is fresh clean from the session creation and not something from any 
app's environment.

If launcher is auto-started by session dbus-daemon it will automagically 
inherit clean user environment and that will get properly passed on to 
any launched applications.

Although for launcher you could rather use p2p dbus and not session bus 
since you want to keep the launcher running always anyway and this way 
you get more control over the environment. Address can be still random 
and passed on as part of the session.



More information about the Dev mailing list