Sending the FD over D-bus
William Kennington
wak at google.com
Wed Apr 10 12:13:56 AEST 2019
What is the issue with just sending them over d-bus? The only party
that can view the messages outside of the normal unicast partner is
the dbus-broker process. You are still trusting the dbus-broker in the
file descriptor case. On top of that you are probably still trusting
the mapper to give you the correct service name prior to sending the
secrets.
On Tue, Apr 9, 2019 at 12:49 PM Ratan Gupta <ratagupt at linux.vnet.ibm.com> wrote:
>
> Hi All,
>
> As Discussed in yesterday community call, I did some POC to send the
> unix FD object over the D-Bus.
>
> BackGround: We are exploring the possibilities how to send the secrets
> from one process to other process,
>
> a) If the IPC is D-bus
>
> b) Calling process doesn't have the root permission to write the secrets
> in the configuration file.
>
> One of the proposal came, Can the calling process send the unix fd over
> the D-Bus instead of sending the actual password
>
> and receiving process reads the data from the sent fd.?
>
> There was a confusion if some other app can snoop the D-bus message and
> get the FD and read it.I tried to simulate the same
>
> behavior in the POC but not sure whether it is correct or not.
>
> This POC has two files which is attached with this mail.
>
> Dbus-Service(dbus-service-fd-test.py): Method(readFD) which takes the
> unix fd as parameter reads it and send the data back
>
> Dbus-Client(dbus-client-fd-test.py): Writes dummy data in the file, then
> opens the file and send the fd over D-bus.
>
>
> After sending the data over D-bus , I introduced a sleep of 15 sec so
> that I can try to open the same fd from other
>
> process,I open the python shell and try to open the shared FD but
> couldn't open it.
>
> Ratan
>
>
>
>
>
>
>
>
>
>
>
>
More information about the openbmc
mailing list