[Dev] Cynara session ID (was: Re: enforcing priviliges of web apps)

José Bollo jose.bollo at open.eurogiciel.org
Fri May 16 06:58:51 GMT 2014


On gio, 2014-05-15 at 20:22 +0200, Patrick Ohly wrote:
> On Thu, 2014-05-15 at 17:02 +0000, Schaufler, Casey wrote:
> > > The problem for a hypothetical, patched dbus-daemon calling Cynara will be
> > > to identify the session. Probably it will not have enough understanding of the
> > > D-Bus interfaces that it is asked to protect to provide a meaningful identifier.
> > 
> > I don't know what you mean by "identify" the session, but expect that
> > it would be a matter of configuration. Not necessarily simple configuration,
> > mind you.
> 
> I mean this parameter of cynara_check (from the Wiki):
> 
>         client_session - /string/ - identifier of application life or
>         session. It might be needed for checking access granted for
>         single session. It is service responsibility to define session
>         properly, e.g. it can be defined as PID of application process
>         or service-application connection identifier. libCynara do not
>         interpret this string - it is just compared to previous ones to
>         distinguish sessions.
> 
> I can image that a modified dbus-daemon can be configured to map a
> certain interface or certain methods in an interface to certain
> privileges, but configuring it to somehow create a client_session string
> for a certain caller is probably going too far. Such functionality is
> better provided by custom code in the service itself.
> 

I share your analysis. It isn't pragmatic to expect that dbus will guess
the session id.

Best regards
José




More information about the Dev mailing list