[Dev] Cynara session ID (was: Re: enforcing priviliges of web apps)
jose.bollo at open.eurogiciel.org
Fri May 16 06:58:51 GMT 2014
On gio, 2014-05-15 at 20:22 +0200, Patrick Ohly wrote:
> On Thu, 2014-05-15 at 17:02 +0000, Schaufler, Casey wrote:
> > > The problem for a hypothetical, patched dbus-daemon calling Cynara will be
> > > to identify the session. Probably it will not have enough understanding of the
> > > D-Bus interfaces that it is asked to protect to provide a meaningful identifier.
> > I don't know what you mean by "identify" the session, but expect that
> > it would be a matter of configuration. Not necessarily simple configuration,
> > mind you.
> I mean this parameter of cynara_check (from the Wiki):
> client_session - /string/ - identifier of application life or
> session. It might be needed for checking access granted for
> single session. It is service responsibility to define session
> properly, e.g. it can be defined as PID of application process
> or service-application connection identifier. libCynara do not
> interpret this string - it is just compared to previous ones to
> distinguish sessions.
> I can image that a modified dbus-daemon can be configured to map a
> certain interface or certain methods in an interface to certain
> privileges, but configuring it to somehow create a client_session string
> for a certain caller is probably going too far. Such functionality is
> better provided by custom code in the service itself.
I share your analysis. It isn't pragmatic to expect that dbus will guess
the session id.
More information about the Dev