Re: security in the distributed object system

[Alexander Malmberg]

Richard Frith-Macdonald wrote:
[snip]
> > Why not to use Unix domain socket instead? Ok, it is not distributed
> > anymore
> 
> Yes that's the *BIG* reason.

It is distributed, but not far. Local system and single user is all that
-gui needs, though, and it is very important that -gui is completely
secure by default.

> >  but at least it provide a simple way (file permission) to limit
> > access to the server. I think a lot of people just want to do fancy
> > secure IPC. How about provide both (tcp and unix domain) so that
> > everybody is happy?
> 
> There are plans to do that ... but since options 1 and 3 are so easy,
> I don't think it's high priority

While these make it possible to do authentication, they don't solve the
actual problem of making sure that the other end of the port is trusted
(or even owned by the same user). User private unix sockets solve this
(and are also more robust wrt bugs in the implementation of the
authentication).

> (especially as the use of unix domain
> sockets is no protection against local attacks).

It is. Although much of the NSMessagePort/NSMessagePortNameServer
implementation I wrote a while back needs to be cleaned up and made more
robust, the port name server part could largely be kept as it is. It
provided secure user private ports (and as an additional bonus, didn't
require a daemon, which is nice if you want to use it somewhere where
you don't have access to privileged ports, or just want to test it and
don't want to run things as root).

Anyway, the patch probably still works. If someone wants to clean it up
and make it more robust, that would be very nice. Otherwise, I'll get
around to it eventually.

- Alexander Malmberg