-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ralph Böhme schreef op 2/01/2014 11:36:
Hi Ralph, [cut] >>> I must run Tracker as root, because I must be able to index a >>> _shared_ ressource, ie all files of a fileserver (currently >>> AFP/Netatalk, in the future SMB/Samba). >> Ok, makes sense. >> >> [cut - security warning about running tracker-extract as root] > > Point taken. Good :) >> [cut - technical proposals to improve the situation and other >> cuts] >>> The whole Tracker design must be updated to optionally allow >>> running Tracker in dbus system context, not in user context. >> >> Yes I agree with this for your use-case. >> >> I think it should be at least a option, a commandline switch or >> perhaps even a compile time option. I wouldn't be against it >> (noting to your users the warning about tracker-extract that I >> just gave - which I do think you ought to take very serious). > > fwiw, the requirements for the described use case don't > neccessarily require running Tracker as root. What's need is using > dbus system context, not session context, so that arbitrary users > (processes with distinct uids) can connect. The latter is not > allowed by dbus for user context services (ie you can't connect as > arbitrary user to a dbus session service from another user (another > euid that is)). nod. Correct afaik. > A proper solution (with security in mind) might be * add an option > that makes Tracker use system dbus context instead of session > context * add another option to take a user under which Tracker > will run in this case, this user MUST not be root Patches that implement this would be welcomed. At least from my side. Note that other Tracker maintainers might also have a point of view. Some locations in the code: For tracker-store: https://git.gnome.org/browse/tracker/tree/src/libtracker-bus/tracker-bus.vala#n24 https://git.gnome.org/browse/tracker/tree/src/libtracker-sparql-backend/tracker-backend.vala#n37 https://git.gnome.org/browse/tracker/tree/src/tracker-store/tracker-dbus.vala#n95 This one is used by tracker-extract: https://git.gnome.org/browse/tracker/tree/src/libtracker-common/tracker-dbus.c#n70 The D-Bus service for all miners: https://git.gnome.org/browse/tracker/tree/src/libtracker-miner/tracker-miner-manager.c#n409 Unfortunate manual D-Bus connection to tracker-store from miner-fs: https://git.gnome.org/browse/tracker/tree/src/miners/fs/tracker-main.c#n772 In case you need tracker-writeback: https://git.gnome.org/browse/tracker/tree/src/miners/fs/tracker-writeback-listener.c#n193 Philip -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSxUU6AAoJEEP2NSGEz4aDOIsH+wX+zFprX9lmP9hiL2xZSaEq d4O9udeqGqoMa89gRHF8Jgw55He7kj5IGwoLepXQr50u5uftaNc+y2GkzmPabQoA HebZBlVII0qYWJ7LOlfA1yj8Gtw5HediUs6gzMa6nnNSIrNP9KkumVr1P6P16YJn 2kLTJ2wnKqnFcGCDj2X92npxvw3QbJTihKgBSLBpR7E2EL7G5AFltoqxhK5rq1jM QDD9g1svfjI92IKcpEsDcYmyZCH9voMTVYezxp+7vaNQteP7eHpQQC3rnE1FQ+qC /w21bdEjKwQW4Y6FO0rueLuHXYtWqA4e+AlWdCoe2cki2Zih/GpN9NHhEqAAfwE= =8z1k -----END PGP SIGNATURE----- _______________________________________________ tracker-list mailing list tracker-list@gnome.org https://mail.gnome.org/mailman/listinfo/tracker-list
