[Dev] Tizen 3.0 proposal for fixing OSP/WRT/Core hard-coded UID issue

Jussi Laako jussi.laako at linux.intel.com
Thu Oct 17 08:56:40 GMT 2013


On 16.10.2013 18:57, Schaufler, Casey wrote:
>> Even with single launcher it could run as non-root with it's own UID and just
>> have enough capabilities to do it's task?
>
> Certainly. Locking down the invididual POSIX capabilities is more work, but it's just work.

One of the concerns I have with this one privileged launcher instead of 
non-privileged within-session launcher are pre-loading and 
pre-initialization of frameworks with plugins.

For example gstreamer can benefit quite a lot from pre-initialization. 
But if we allow third party to install plugins this opens a gaping 
security hole in the system, because part of the initialization is 
usually loading plugins from a directory and then requesting 
capabilities of those plugins. Now through the shared library entry 
points you can in this case gain elevated privileges.

Generally of course you cannot trust plugins. That's why for example in 
gsignond we have a separate "plugind" per loaded plugin that handles 
communication between a plugin and daemon over IPC.



More information about the Dev mailing list