Hi,
On Fri, 2014-10-24 at 06:26 -0700, Ryan P.C. McQuen wrote:
> Hello connman group,
>
> Thank you for this great project! I just packaged it for my Linux
> distribution, and noticed that this patch has been floating around for
> a while. Many distros use the netdev group for their networking
> programs. It would be excellent if this could be incorporated into the
> upstream connman project. Patrik Flykt advised that I should post the
> patch inline here, so here it goes:
>
>
> --- connman-dbus.conf 2011-04-18 02:03:56.000000000 -0700
> +++ connman-dbus.conf.diff 2014-10-23 21:37:34.638075357 -0700
> @@ -8,6 +8,11 @@
> <allow send_interface="net.connman.Counter"/>
> <allow send_interface="net.connman.Notification"/>
> </policy>
> + <policy group="netdev">
> + <allow send_destination="net.connman"/>
IIRC the netdev group is now allowed to send to the app that has
registered net.connman.
> + <allow send_interface="net.connman.Agent"/>
> + <allow send_interface="net.connman.Counter"/>
These two lines seem to allow everybody in the netdev group to send
messages to anyone that implements the Agent API. To me this looks like
a security problem, as only ConnMan should be allowed to query UIs for
passwords. As the netdev group is not allowed to own the net.connman
service, ConnMan is not running as a member of this group, right?
I tried to figure out the exact meaning of send_destination and
send_interface, but I'm not convinced I got it correct, so any comments
would be appreciated...
Cheers,
Patrik
_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman
