[Dev] Cynara session ID (was: Re: enforcing priviliges of web apps)

Patrick Ohly patrick.ohly at intel.com
Thu May 15 18:22:31 GMT 2014


On Thu, 2014-05-15 at 17:02 +0000, Schaufler, Casey wrote:
> > The problem for a hypothetical, patched dbus-daemon calling Cynara will be
> > to identify the session. Probably it will not have enough understanding of the
> > D-Bus interfaces that it is asked to protect to provide a meaningful identifier.
> 
> I don't know what you mean by "identify" the session, but expect that
> it would be a matter of configuration. Not necessarily simple configuration,
> mind you.

I mean this parameter of cynara_check (from the Wiki):

        client_session - /string/ - identifier of application life or
        session. It might be needed for checking access granted for
        single session. It is service responsibility to define session
        properly, e.g. it can be defined as PID of application process
        or service-application connection identifier. libCynara do not
        interpret this string - it is just compared to previous ones to
        distinguish sessions.

I can image that a modified dbus-daemon can be configured to map a
certain interface or certain methods in an interface to certain
privileges, but configuring it to somehow create a client_session string
for a certain caller is probably going too far. Such functionality is
better provided by custom code in the service itself.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.





More information about the Dev mailing list