[Dev] enforcing priviliges of web apps (was: Re: New Tizen Bluetooth Framwork (NTB) wiki page)

Patrick Ohly patrick.ohly at intel.com
Wed May 14 09:32:41 GMT 2014


On Wed, 2014-05-14 at 11:15 +0200, José Bollo wrote:
> On mer, 2014-05-14 at 10:33 +0300, Kis, Zoltan wrote:
> > On Wed, May 14, 2014 at 9:53 AM, Patrick Ohly <patrick.ohly at intel.com> wrote:
> 
> (snip)
> 
> > >  4. Cynara called by dbus-daemon, based on service configuration.
> > >
> > > The advantage of option 4 over 3 is that we don't need to touch the many
> > > entry points into upstream services. However, it depends on Cynara
> > > behaving well inside the dbus-daemon event loop - blocking synchronous
> > > calls definitely will be a showstopper there. It also won't work well
> > > with kdbus.
> > 
> > In my view (may be wrong and I expect security people to correct me)
> > we may be able to solve that.
> 
> IIRC, this solution wasn't already debated.
> 
> IMHO, this solution is costly: time to do it, time to maintain it, time
> to make it accepted upstream, dependency of DBus to cynara, the
> configuration process isn't obvious.

On the other hand, it only needs to be done once, and probably is more
secure than relying on D-Bus service implementers to do the right thing
in their code.

> It also have the drawback to be DBus specific, letting part of the world
> outside of the scope.

True, non-D-Bus still needs a solution. But that is a separate issue.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list