Re: [Dazuko-devel] 2.1.0-pre3 posted

[John Ogness]

Tikka, Sami wrote:
> Fact of the matter is that we have a dazuko application that uses a separate
> AV scanning daemon that has several child processes that do the actual
> scanning. Because AV scanning is a complex task, it is possible, although
> uncommon, that a child process could die unexpectedly. 
>
> I would feel much safer if such a child could be removed from the list of
> trusted processes as soon as its death is detected.

Me too.


> I do not see how process identifiers are too platform-specific. Every
> operating system I know has processes identifiers. Dazuko itself uses PIDs in
> its dazuko_access struct.

I do not see Dazuko as a UNIX operating system file system access control
interface. I see it as an interface to general file access control. There
are many environments that I can imagine where PID has no meaning. Some
examples include virtual file systems (such as gnomevfs), exotic operating
systems (such as DOS), or virtual operating systems (such as DummyOS). There
are also other situations where PID != process (multiple threads on any UNIX
except Linux).

PID's in the dazuko_access struct are ok because it is just optional
information available about a process. It is not used by Dazuko to identify
processes.

I have no plans to add functions to the Dazuko interface that take PID as an
argument. A PID is meaningless to Dazuko. You will not find any code in
dazuko_core.c that uses PID's for identification.


> Removing all trusted processes with the same token would be too much
> [dazukoRemoveTrustedApplication(token)]. There's no need to restart or
> re-authenticate all of the scanning daemon if one of its children should die.

What if you used a different token for each trusted process? This would
require that you implement a "token manager" so that you know who is who and
which tokens they were assigned, but that shouldn't be too difficult. I
would prefer this method because it keeps process representation abstract
and this is very important to me.

If I were to implement dazukoRemoveTrusted(token), then it would remove
*all* trusted processes from your group that use this token. That means that
if you use different tokens for each process, then you have individual
control. If you use the same token for everything, then it is the same as
dazukoRemoveAllTrusted(). Using this idea, you would also have the
flexibility of defining your own sub-groups, where a group of your helpers
uses the same token (thus you are able to easily clear out an entire group).

Thoughts, comments? Do you have other suggestions (that doesn't involve PID's)?

John Ogness

--
Dazuko Maintainer