From 1c5f0ad98d25b7f77870ba541afbbedc65ddc355 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Fri, 11 Nov 2011 15:58:13 +0000 Subject: [PATCH 1/2] Redefine Socket_Access_Control_Credentials on D-Bus tubes to be useful I think this is what was always intended, and it seems to be what Gabble has always implemented. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=42809 --- spec/Channel_Interface_Tube.xml | 53 ++++++++++++++++++++++++++++++-------- 1 files changed, 42 insertions(+), 11 deletions(-) diff --git a/spec/Channel_Interface_Tube.xml b/spec/Channel_Interface_Tube.xml index 858a15d..f31ab21 100644 --- a/spec/Channel_Interface_Tube.xml +++ b/spec/Channel_Interface_Tube.xml @@ -204,15 +204,24 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. array-name="Socket_Access_Control_List"> - The IP or Unix socket can be accessed by any local user (e.g. - a Unix socket that accepts all local connections, or an IP socket - listening on 127.0.0.1 (or ::1) or rejecting connections not from - that address). The associated variant must be ignored. +

The IP or Unix socket can be accessed by any local user (e.g. + a Unix socket that accepts all local connections, or an IP socket + listening on 127.0.0.1 (or ::1) or rejecting connections not from + that address). The associated variant must be ignored.

+ +

For a D-Bus tube, this means that the "same user" access + control typically provided by default in D-Bus implementations + SHOULD be disabled. If the socket is only available to local users + (e.g. a Unix socket, an IPv4 socket bound to 127.0.0.1, or an + IPv6 socket bound to ::1), the ANONYMOUS + authentication mechanism MAY be enabled.

 - May only be used on IP sockets. The associated variant must contain + May only be used on IP sockets, and only for Stream tubes. + + The associated variant must contain a struct Socket_Address_IPv4 (or Socket_Address_IPv6) containing the string form of an IP address of the appropriate version, and a port number. The socket can only be accessed if the @@ -235,19 +244,41 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -

May only be used on UNIX sockets. +

The high-level meaning of this access control type is that + only the same user (e.g. same numeric Unix uid) is allowed to + interact with the tube. Exactly how this is achieved varies by + channel type.

+ +

For StreamTube channels, this access control type + may only be used on UNIX sockets. The connecting process must send a byte when it first connects, which is not considered to be part of the data stream. If the operating system uses sendmsg() with SCM_CREDS or SCM_CREDENTIALS to pass credentials over sockets, the connecting process must do so if possible; if not, it must still send the - byte.

+ byte, without any attached credentials. (This mechanism is + very similar to the first byte of a D-Bus connection, except that + in D-Bus the byte is always zero, whereas in Tubes it can be + nonzero.)

+ +

For DBusTube channels, this access control type + may be used on any type of socket, and there is no extra byte + added by Telepathy at the beginning of the stream: all bytes in + the stream are part of the D-Bus tube connection. The connecting + process should prove its identity via any of the SASL + authentication mechanisms usually used for D-Bus (in typical + D-Bus implementations this involves either sending and receiving + credentials as above, or demonstrating the ability to write to a + file in the user's home directory).

-

The listening process will disconnect the connection unless it - can determine by OS-specific means that the connecting process - has the same user ID as the listening process.

+

In either case, the listening process will disconnect the + connection unless it can determine by OS-specific means that + the connecting process has the same user ID as the listening + process.

-

The associated variant must be ignored.

+

In either tube type, the associated variant must be ignored.

 -- 1.7.7.2