Hi, On Fri, 2014-10-24 at 06:26 -0700, Ryan P.C. McQuen wrote: > Hello connman group, > > Thank you for this great project! I just packaged it for my Linux > distribution, and noticed that this patch has been floating around for > a while. Many distros use the netdev group for their networking > programs. It would be excellent if this could be incorporated into the > upstream connman project. Patrik Flykt advised that I should post the > patch inline here, so here it goes: > > > --- connman-dbus.conf 2011-04-18 02:03:56.000000000 -0700 > +++ connman-dbus.conf.diff 2014-10-23 21:37:34.638075357 -0700 > @@ -8,6 +8,11 @@ > <allow send_interface="net.connman.Counter"/> > <allow send_interface="net.connman.Notification"/> > </policy> > + <policy group="netdev"> > + <allow send_destination="net.connman"/>
IIRC the netdev group is now allowed to send to the app that has registered net.connman. > + <allow send_interface="net.connman.Agent"/> > + <allow send_interface="net.connman.Counter"/> These two lines seem to allow everybody in the netdev group to send messages to anyone that implements the Agent API. To me this looks like a security problem, as only ConnMan should be allowed to query UIs for passwords. As the netdev group is not allowed to own the net.connman service, ConnMan is not running as a member of this group, right? I tried to figure out the exact meaning of send_destination and send_interface, but I'm not convinced I got it correct, so any comments would be appreciated... Cheers, Patrik _______________________________________________ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman