On Thu, 16.04.15 19:30, Lennart Poettering (lenn...@poettering.net) wrote:
I will grant you though that it is confusing that we use
SD_BUS_CREDS_AUGMENT here like this, and implicitly rely on that the
selinux label is not a field that is being augmented. We should make
this explicit,
On Fri, 17.04.15 13:43, Simon McVittie (simon.mcvit...@collabora.co.uk) wrote:
On 16/04/15 15:52, Andy Lutomirski wrote:
(I really think this dichotomy
needs to be removed, *especially* since it looks like code already
exists to try to use both metadata sources. This seems like it's just
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
My point here is that there's no real shortage of downsides to this
scheme, and there still appears to be little to no benefit.
Well, let's turn this around. You seem to really dislike caps. And you
vaguely claim security
On Apr 20, 2015 7:57 AM, Lennart Poettering lenn...@poettering.net
wrote:
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
My point here is that there's no real shortage of downsides to this
scheme, and there still appears to be little to no benefit.
Well, let's turn
On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote:
On Apr 20, 2015 7:57 AM, Lennart Poettering lenn...@poettering.net
wrote:
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
My point here is that there's no real shortage of downsides to this
On Apr 20, 2015 9:07 AM, Lennart Poettering lenn...@poettering.net
wrote:
On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote:
I will grant you that they aren't particularly expressive, and I
will
grant you that one day there might be better concepts. But that's
not
On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote:
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a small
web UI that can be used to set the system time. It should realy run at
minimal
On April 20, 2015 8:39:33 AM PDT, Lennart Poettering lenn...@poettering.net
wrote:
On Fri, 17.04.15 08:52, Josh Triplett (j...@joshtriplett.org) wrote:
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a
small
On Mon, 20.04.15 08:51, Andy Lutomirski (l...@amacapital.net) wrote:
I will grant you that they aren't particularly expressive, and I will
grant you that one day there might be better concepts. But that's not
a strong reason not to support them really, that's just a reason to
On Apr 20, 2015 8:22 AM, Lennart Poettering lenn...@poettering.net
wrote:
On Mon, 20.04.15 08:08, Andy Lutomirski (l...@amacapital.net) wrote:
On Apr 20, 2015 7:57 AM, Lennart Poettering lenn...@poettering.net
wrote:
On Fri, 17.04.15 09:14, Andy Lutomirski (l...@amacapital.net) wrote:
On 16/04/15 15:52, Andy Lutomirski wrote:
(I really think this dichotomy
needs to be removed, *especially* since it looks like code already
exists to try to use both metadata sources. This seems like it's just
asking for security screw-ups.)
Would it address this concern if there was an
On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering
lenn...@poettering.net wrote:
Groups *suck* as authentication scheme. If you add one group for each
privilege you want, then you'll have a huge number of groups, and
that's hardly desirable. It's pretty close to being unmanagable with
On Thu, 16.04.15 12:45, Cameron Norman (camerontnor...@gmail.com) wrote:
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen t...@jklm.no wrote:
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski l...@amacapital.net
wrote:
The ratio of complexity of capability code the kdbus folks have
already
On Thu, 16.04.15 12:30, Andy Lutomirski (l...@amacapital.net) wrote:
systemd itself checks CAP_SYS_KILL for clients asking to kill
arbitrary services (which means invoking kill() to all PIDs in the
service's cgroup).
Similar to this, logind checks CAP_SYS_KILL for clients asking to kill
Hi Andy,
On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote:
On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
lenn...@poettering.net wrote:
[...]
AFAICT this piece of kdbus code serves to enable a rather odd way to
write privilege-separated services to change the time and
On Thu, 16.04.15 12:52, Cameron Norman (camerontnor...@gmail.com) wrote:
It's easy to construct similar examples, for example for timedated,
where setting the system clock is subject to CAP_SYS_TIME, exactly
like the underlying system call. Using timedated instead of the system
call gives
On Apr 17, 2015 4:53 AM, Djalal Harouni tix...@opendz.org wrote:
Hi Andy,
On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote:
On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
lenn...@poettering.net wrote:
[...]
AFAICT this piece of kdbus code serves to enable a rather
On Apr 17, 2015 5:42 AM, Simon McVittie
simon.mcvit...@collabora.co.uk wrote:
On 16/04/15 15:52, Andy Lutomirski wrote:
(I really think this dichotomy
needs to be removed, *especially* since it looks like code already
exists to try to use both metadata sources. This seems like it's just
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a small
web UI that can be used to set the system time. It should realy run at
minimal privileges, after all it has a surface to the web. Hence you
write it as
Hi
On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett j...@joshtriplett.org wrote:
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a small
web UI that can be used to set the system time. It should realy run at
On Fri, Apr 17, 2015 at 06:00:04PM +0200, David Herrmann wrote:
Hi
On Fri, Apr 17, 2015 at 5:52 PM, Josh Triplett j...@joshtriplett.org wrote:
On Thu, Apr 16, 2015 at 08:23:45PM +0200, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a small
web UI
On Apr 17, 2015 6:05 AM, Cristian RodrÃguez crrodrig...@opensuse.org wrote:
On Fri, Apr 17, 2015 at 7:51 AM, Lennart Poettering
lenn...@poettering.net wrote:
Groups *suck* as authentication scheme. If you add one group for each
privilege you want, then you'll have a huge number of groups,
Hi Andy,
On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski l...@amacapital.net wrote:
Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any
examples in which it does anything?
Please note that you need to be using kdbus to get any capabilities
transported, so in dbus1 this does
On Thu, Apr 16, 2015 at 3:23 AM, Tom Gundersen t...@jklm.no wrote:
Hi Andy,
On Thu, Apr 16, 2015 at 2:55 AM, Andy Lutomirski l...@amacapital.net wrote:
Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any
examples in which it does anything?
Please note that you need to be using
On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote:
I'm looking at sd_bus_query_sender_privilege, which does:
r = sd_bus_query_sender_creds(call,
SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS,
creds);
That, in turn, does:
if (!c || !(c-mask
On Thu, Apr 16, 2015 at 8:59 AM, Lennart Poettering
lenn...@poettering.net wrote:
On Thu, 16.04.15 07:52, Andy Lutomirski (l...@amacapital.net) wrote:
I'm looking at sd_bus_query_sender_privilege, which does:
r = sd_bus_query_sender_creds(call,
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski l...@amacapital.net wrote:
Unshare your user namespace, set things up right, and systemd
or any other server will see you as having all capabilities. You've
fixed that in kdbus, but you haven't (and probably can't!) fix it in
the legacy code,
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen t...@jklm.no wrote:
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski l...@amacapital.net wrote:
Unshare your user namespace, set things up right, and systemd
or any other server will see you as having all capabilities. You've
fixed that in kdbus,
On Thu, Apr 16, 2015 at 10:43 AM, Tom Gundersen t...@jklm.no wrote:
On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski l...@amacapital.net wrote:
We have several uses of this, see my mail to Jiri regarding
CAP_SYS_BOOT for instance:
https://lkml.org/lkml/2015/4/16/219
I read that, but I
On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering
lenn...@poettering.net wrote:
On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote:
It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags
of creds they want. Doing this basically voids your warranty: it means
On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote:
It's a noop, unless people OR in SD_BUS_CREDS_AUGMENT into the flags
of creds they want. Doing this basically voids your warranty: it means
that the creds data shall be augmented with data from /proc, which are
good
On Thu, Apr 16, 2015 at 5:57 PM, Andy Lutomirski l...@amacapital.net wrote:
We have several uses of this, see my mail to Jiri regarding
CAP_SYS_BOOT for instance:
https://lkml.org/lkml/2015/4/16/219
I read that, but I disagree with you.
CAP_SYS_BOOT is the privilege to directly
On Thu, Apr 16, 2015 at 9:43 AM, Tom Gundersen t...@jklm.no wrote:
On Thu, Apr 16, 2015 at 4:52 PM, Andy Lutomirski l...@amacapital.net wrote:
The ratio of complexity of capability code the kdbus folks have
already written (hundreds of lines across multiple files) to its
utility (very near
On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering
lenn...@poettering.net wrote:
On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote:
It would be very helpful if you could go into details on why you think
more care is needed here than for other things. Is there anything
On Thu, Apr 16, 2015, at 02:23 PM, Lennart Poettering wrote:
Now, to put together a more complex scenario for you: consider a small
web UI that can be used to set the system time. It should realy run at
minimal privileges, after all it has a surface to the web. Hence you
write it as daemon,
On Thu, 16.04.15 10:52, Andy Lutomirski (l...@amacapital.net) wrote:
It would be very helpful if you could go into details on why you think
more care is needed here than for other things. Is there anything
non-trivial going on here that I'm missing? The way capabilites are
exposed
Hi all-
Yesterday, I discovered SD_BUS_VTABLE_CAPABILITY. Are there any
examples in which it does anything? If so, I don't suppose any of you
could give me an example of:
$ cp `which dbus-send` .
$ sudo setcap all=eip dbus-send
$ dbus-send [not sure what goes here]
that passes an
37 matches
Mail list logo