On 16.10.2013 18:57, Schaufler, Casey wrote:
Even with single launcher it could run as non-root with it's own UID and just
have enough capabilities to do it's task?
Certainly. Locking down the invididual POSIX capabilities is more work, but
it's just work.
One of the concerns I have with this one privileged launcher instead of
non-privileged within-session launcher are pre-loading and
pre-initialization of frameworks with plugins.
For example gstreamer can benefit quite a lot from pre-initialization.
But if we allow third party to install plugins this opens a gaping
security hole in the system, because part of the initialization is
usually loading plugins from a directory and then requesting
capabilities of those plugins. Now through the shared library entry
points you can in this case gain elevated privileges.
Generally of course you cannot trust plugins. That's why for example in
gsignond we have a separate "plugind" per loaded plugin that handles
communication between a plugin and daemon over IPC.
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
