On Fri, 2009-04-24 at 16:16 -0400, Paul Wouters wrote: > On Fri, 24 Apr 2009, Dan Williams wrote: > > >> people want to get notifications in userland on tunnels failing, they > >> should configure the ipsec tunnel to use Dead Peer Detection (RFC3706) > > > > Ok, how does that actually show up in userspace? What can we make the > > NM vpn plugin daemon listen for? > > You tell me. What infrastructure is there for NM? I know there is dbus, > but I don't think that channel can be secured at all. Would unauthenticated > announcements be okay? Does NM have any other listening or polling methods?
D-Bus can certainly be secured. D-Bus security is based on a few different mechanisms; one of which is user-based authentication. So you can make sure that only the root user can access the D-Bus interface, or only a certain group, or only users determined to be "at console" (ie, physically present and not via SSH or remote X). Beyond that, finer-grained access control is accomplished with stuff like PolicyKit, but you probably don't need that. Otherwise, socket-based mechanisms (that user peer credentials to authenticate the remote UID, which is what D-Bus uses too) would be fine too, as long as that socket-based API was sane. I guess I would have assumed something like this would be available already via whack, but perhaps I misunderstand how the stack fits together. Dan > > Yeah there's support for this. Basically, you have two classes of > > connections: system and user. Just like OS X actually. User > > connections credentials and details are stored in the user session and > > do not survive fast-user-switch. System connections are stored outside > > of the user session, and thus are available before login and survive a > > fast user switch. So if you don't want your VPN to be avialable to > > everyone, you keep it as a user connection. If you don't care, you make > > it a system connection and "available to all users" as the UI > > checkbutton puts it. > > That's good. > > Paul _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
