On 2015-04-28 13:15, Lukasz Wojciechowski wrote: > Thank You Sven > > I did see the dbus conf, but it allows only robust security > configuration at the level of interfaces and already defined users.
Take a look at dbus-daemon's documentation. It allows member-level configuration, not just interfaces, and can work with groups just as well as users. > I would like to have more granularity and that is why I analyzed > security plugins. > > Let me give an example: > I would like to allow only some users to configure wifi. Users can be > created at runtime of a system. I would have to change connman-dbus.conf > every time a user is created, removed or I just want to limit his/her > privileges. With polkit working I can change or add rules that can > distinguish users and methods not only interfaces. > > I just wonder if anyone uses it or is interested in maintaining that > mechanism or is it just a relict of the past. > > Best regards > Lukasz > > W dniu 2015-04-28 o 13:02, Sven Schwedas pisze: >> On 2015-04-28 12:42, Lukasz Wojciechowski wrote: >>> Hi >>> >>> I'm studying connman's code and I'm interested in limiting access to >>> some API. >>> I found that there is a mechanism for defining security plugins, that >>> set GDBusSecurityTable by calling g_dbus_register_security(). >>> There is only one such plugin implemented - polkit plugin. >>> >>> However IMO it seems to be dead. >>> It registers polkit checks for privileges: CONNMAN_PRIVILEGE_MODIFY and >>> CONNMAN_PRIVILEGE_SECRET, >>> but all gdbus methods registered with GDBUS_*_METHOD macros do not set >>> privilege field in GDBusMethodTable structure. >>> Because of that security checks are never run, because method->privilege >>> never equals security->privilege (check_privilege() function in >>> gdbus/object.c). >>> >>> So I have few questions: >>> * What am I missing? How this security works ? >>> * Are there any plans for defining privileges for methods ? >> Connman uses DBus' bus policies to limit access, cf. >> >>> http://git.kernel.org/cgit/network/connman/connman.git/tree/src/connman-dbus.conf >>> >> and the respective file for connman-vpn. Distributions seem to tweak >> those to limit/grant access. >> >> No idea what the other code is for. >> >> >> >> _______________________________________________ >> connman mailing list >> connman@connman.net >> https://lists.connman.net/mailman/listinfo/connman > > _______________________________________________ > connman mailing list > connman@connman.net > https://lists.connman.net/mailman/listinfo/connman -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwe...@tao.at | +43 (0)680 301 7167 http://software.tao.at
signature.asc
Description: OpenPGP digital signature
_______________________________________________ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
