Raphael Hertzog wrote: > On Sun, 23 Nov 2008, Bart Samwel wrote: >>> 1. This program is running as root, right? I would be very careful with >>> sourcing arbitrary shell commands from a users home directory then. >> I agree that that would be risky. However, on my system the .dbus >> directory is owned by root and not accessible to anyone else. So that >> should be no problem. (The session dbus system is apparently set up by > > Yes it is a problem. Here it's not owned by root and furthermore the user > has write rights to ~/ so he can "mv .dbus .dbus-temp". > > Please be more careful about security when you think of code running as > root.
ACK -- this needs more thought. > You should rather parse those files and not source them directly. That was in fact what I had in mind for the actual implementation -- yesterday's stuff was just a quick "proof of concept" to check if it would work at all. > Or maybe you can call dbus-send with the user rights (su user -c "") > provided that you include an "export DISPLAY=…" command before the > dbus-send command ? Sounds like a definite possibility. The export DISPLAY=... stuff won't work however, because dbus doesn't derive it's session bus from that AFAICT. I really need to set the three env variables listed in one of the .dbus/session-bus/* files. Perhaps I can run an entire script as the user, which then tries to determine the session bus parameters (safely sourcing these files) and then tries to send commands to the session bus. Yes, I think that would work. Cheers, Bart -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
