Re: Security mechanisms in connman

Tue, 28 Apr 2015 04:16:23 -0700 

Thank You Sven
I did see the dbus conf, but it allows only robust security configuration at the level of interfaces and already defined users. I would like to have more granularity and that is why I analyzed security plugins. 

Let me give an example:

I would like to allow only some users to configure wifi. Users can be 
created at runtime of a system. I would have to change connman-dbus.conf 
every time a user is created, removed or I just want to limit his/her 
privileges. With polkit working I can change or add rules that can 
distinguish users and methods not only interfaces.



I just wonder if anyone uses it or is interested in maintaining that 
mechanism or is it just a relict of the past.


Best regards
Lukasz

W dniu 2015-04-28 o 13:02, Sven Schwedas pisze:

On 2015-04-28 12:42, Lukasz Wojciechowski wrote:

Hi

I'm studying connman's code and I'm interested in limiting access to
some API.
I found that there is a mechanism for defining security plugins, that
set GDBusSecurityTable by calling g_dbus_register_security().
There is only one such plugin implemented - polkit plugin.

However IMO it seems to be dead.
It registers polkit checks for privileges: CONNMAN_PRIVILEGE_MODIFY and
CONNMAN_PRIVILEGE_SECRET,
but all gdbus methods registered with GDBUS_*_METHOD macros do not set
privilege field in GDBusMethodTable structure.
Because of that security checks are never run, because method->privilege
never equals security->privilege (check_privilege() function in
gdbus/object.c).

So I have few questions:
* What am I missing? How this security works ?
* Are there any plans for defining privileges for methods ?

Connman uses DBus' bus policies to limit access, cf.


http://git.kernel.org/cgit/network/connman/connman.git/tree/src/connman-dbus.conf

and the respective file for connman-vpn. Distributions seem to tweak
those to limit/grant access.

No idea what the other code is for.



_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman


_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman






















					Reply via email to