ubuntu-phone team mailing list archive

Thread
Date

Re: Sharing dynamic informations between the user session and the greeter

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 06 Mar 2014 13:42:15 -0500
In-reply-to: <1394129766.24366.91415809.325DA94E@webmail.messagingengine.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 14-03-06 01:16 PM, Ryan Lortie wrote:
<snip>
>> 2. get lightdm to connect to the user-session bus and send back selected 
>> informations to the greeter.
>>
>> That seems like the most flexible/powerful solution, giving access to 
>> the user session might be a concern for security though.
> 
> In a sense, this is the "best approach".
> 
> I think having lightdm come onto the user's session bus as soon as the
> user has logged in has a lot of appeal for quite some reasons.  If we
> are having lightdm handle the locking then this could allow lightdm to
> communicate with the session (and its contents) about things like
> inhibit, for example.
> 
> This would also be the best approach to allowing us to model dynamic
> information (such as the state of MPRIS music players).  It would not be
> subject to stale data about the playing song, for example, because the
> information would not be persistently stored anywhere at all -- only
> proxied.  It would be lightdm actively monitoring things, rather than a
> utility component in the user's session (which all other approaches
> would require).
> 
> The drawback here is security of course.  Attaching a privileged
> component to the user's session bus exposes a lot of surface area to
> possible attack.  Even with system level D-Bus components running as
> root we don't see this level of exposure because they are hidden behind
> the D-Bus daemon, which provides an additional level of protection.  In
> this case, the user controls the D-Bus daemon, so they can inject
> whatever junk they want directly into this component.
> 
> If we feel that we can manage the security implications of this (like,
> having it not run as root, for example) then I think this is the best
> approach.  I think it might be difficult to convince ourselves of this,
> however.

Yes, there are a lot of security implications in doing this. It's a _lot_ of
attack surface just to get a bit of data transferred to the lock screen.

<snip>
> 
> A final possibility is that we find a simple way to create a socket that
> can be shared between the session and the greeter and write a small
> program to shuffle data across it.  This shares the problem that we need
> a component in the session (as with all of the cases above except the
> one where lightdm gets directly on the session bus).  We also have to
> figure out a way to share the socket, but this doesn't seem like it's a
> particularly difficult problem to solve.
> 

I like this idea.

Marc.

References

Sharing dynamic informations between the user session and the greeter
From: Sebastien Bacher, 2014-03-06
Re: Sharing dynamic informations between the user session and the greeter
From: Ryan Lortie, 2014-03-06