Hey Martin, On Thu, 2006-01-12 at 16:21 +0100, Martin Pitt wrote: > Hi David! > > David Zeuthen [2006-01-12 9:55 -0500]: > > There may be a few cases (reading battery info comes to mind) where we > > need to clean this up too; that's all part of the work of separating > > hald into two processes - the unprivileged one handling D-BUS requests > > and the uid 0 one that executes helpers. > > Sounds fine. I didn't think about the design so far, and I'm not > intimately familiar with the guts of hal, but does that essentially > boil down to changing hal_util_helper_invoke_with_pipes() to not > exec() the helper, but instead send a dbus message to the privileged > process?
That's about correct. Another thing is that all helpers should live in /usr/share/hal/scripts/ and the root helper should restrict execution of stuff outside this location. Hmm.. what about multi-lib, e.g. x86-64? Is this a problem? /me shrugs > It should also be decided what is better: forking() hald at the start > (which would make startup easy, but operation less robust since in > principle all the code would still be present in the root daemon), or > a completely separate code base (easier to audit and more robust, but > more problems with startup), or a hybrid solution (fork/exec the > unprivileged instance from the privileged one). Personally I'd do the > last option; David, what do you think? I'd like the one with just forking at startup - it's less complicated that way and the root parts of the daemon should be small and thus easy to audit anyway. Cheers, David _______________________________________________ utopia-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/utopia-list
