On Thu, Oct 30, 2014 at 1:45 AM, Patrik Flykt <[email protected]> wrote: > IIRC the netdev group is now allowed to send to the app that has > registered net.connman.
Thank you Patrik! I'd like to remove the request for this patch. I'm typing right now from a connection established with an unpatched connman-1.26. Updating my build now. Hopefully this message will get out to other maintainers, since everyone seems to be using a similar patch. For posterity here is the commit of my updated build: http://slackbuilds.org/cgit/slackbuilds/commit/?id=f66e707bf Once the next public merge happens it will be here: http://slackbuilds.org/apps/connman/ Thank you! - -- --- <ryanpcmcquen.com> On Thu, Oct 30, 2014 at 1:45 AM, Patrik Flykt <[email protected]> wrote: > > Hi, > > On Fri, 2014-10-24 at 06:26 -0700, Ryan P.C. McQuen wrote: >> Hello connman group, >> >> Thank you for this great project! I just packaged it for my Linux >> distribution, and noticed that this patch has been floating around for >> a while. Many distros use the netdev group for their networking >> programs. It would be excellent if this could be incorporated into the >> upstream connman project. Patrik Flykt advised that I should post the >> patch inline here, so here it goes: >> >> >> --- connman-dbus.conf 2011-04-18 02:03:56.000000000 -0700 >> +++ connman-dbus.conf.diff 2014-10-23 21:37:34.638075357 -0700 >> @@ -8,6 +8,11 @@ >> <allow send_interface="net.connman.Counter"/> >> <allow send_interface="net.connman.Notification"/> >> </policy> >> + <policy group="netdev"> >> + <allow send_destination="net.connman"/> > > IIRC the netdev group is now allowed to send to the app that has > registered net.connman. > >> + <allow send_interface="net.connman.Agent"/> >> + <allow send_interface="net.connman.Counter"/> > > These two lines seem to allow everybody in the netdev group to send > messages to anyone that implements the Agent API. To me this looks like > a security problem, as only ConnMan should be allowed to query UIs for > passwords. As the netdev group is not allowed to own the net.connman > service, ConnMan is not running as a member of this group, right? > > I tried to figure out the exact meaning of send_destination and > send_interface, but I'm not convinced I got it correct, so any comments > would be appreciated... > > Cheers, > > Patrik > > _______________________________________________ > connman mailing list > [email protected] > https://lists.connman.net/mailman/listinfo/connman _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
