On 2.10.2012 11:20, Patrick Ohly wrote:
The problem is that on most Linux systems, neither browser nor such a SSO agent are currently necessarily safer or more trustworthy than the app itself.
Generally browsers are fairly well tested and users have to trust those for many of the online commerce things anyway. In any case, asking user credentials from application clearly attempts to violate two-factor authentication scheme.
SSO will, AFAIK, ship in Ubuntu 12.10, but I haven't got time to check how they configured it. You can run the daemon under different user id than the user's. And with SMACK-enabled kernel you get full two-level local access control (you can define which process in which context can ask for what, per each stored item). It would be fairly trivial to make it support SELinux too, just matter of writing a simple extension class.
At rudimentary level (lacking SMACK/SELinux) you could specify ACL per binary path defining what kind of requests are allowed.
_______________________________________________ SyncEvolution mailing list [email protected] http://lists.syncevolution.org/listinfo/syncevolution
