[Bluez-devel] Device configuration permissions

[Bluez-devel] Device configuration permissions

[Claudio Takahasi]

Hi Marcel,

There is a open issue that we need define. I was talking with Eduardo
and Johan in the
IrC channel about how design the Devices services and handle security.
In our opinion
read services should be available to all users and write service
should be restricted.
We have a lot of ways to define D-Bus rules, use path, interface,
method name, user
and/or a combination of these parameters.

Define method name rules, can make the maintenance hard. The easiest
way is use interface
to define rules.

Here are some interface names suggestions:
Suggestion 1:
org.bluez.Devices.Public
org.bluez.Devices.Protected

Suggestion 2:
org.bluez.Devices.admin
org.bluez.Devices.user


Do you agree with this approach of define different interfaces?
If yes, do you have another suggestion for the interface name?

Regards,
Claudio
--
---------------------------------------------------------
Claudio Takahasi
Instituto Nokia de Tecnologia - INdT


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Device configuration permissions

[Marcel Holtmann]

Hi Claudio,

> There is a open issue that we need define. I was talking with Eduardo
> and Johan in the
> IrC channel about how design the Devices services and handle security.
> In our opinion
> read services should be available to all users and write service
> should be restricted.
> We have a lot of ways to define D-Bus rules, use path, interface,
> method name, user
> and/or a combination of these parameters.
> 
> Define method name rules, can make the maintenance hard. The easiest
> way is use interface
> to define rules.
> 
> Here are some interface names suggestions:
> Suggestion 1:
> org.bluez.Devices.Public
> org.bluez.Devices.Protected
> 
> Suggestion 2:
> org.bluez.Devices.admin
> org.bluez.Devices.user
> 
> 
> Do you agree with this approach of define different interfaces?
> If yes, do you have another suggestion for the interface name?

sorry, but both are the wrong approaches. I don't wanna dictate the
security settings through the interface names and especially not with
keywords like "admin", "protected" etc. This is the wrong approach and
makes the interface really horribly, because the user shouldn't care
that much about it. If our D-Bus rules file get big then this is the
price we have to pay for a nice clean interface. And I am gladly to
paying this price then.

For example we had the HCI security filter inside the kernel that blocks
certain HCI commands and events for normal users. This is not a bad idea
per se, but for some projects the general rules don't apply and they
need special settings. So we must give them a chance to adjust these
setting without cripling the interface for it. And writing these rules
or policies must not be easy.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Device configuration permissions

[Johan Hedberg]

Hi Marcel,

On Mon, Oct 31, 2005, Marcel Holtmann wrote:
> sorry, but both are the wrong approaches. I don't wanna dictate the
> security settings through the interface names and especially not with
> keywords like "admin", "protected" etc. This is the wrong approach and
> makes the interface really horribly, because the user shouldn't care
> that much about it.

IMHO it would make it easier for the user to understand why some method
doesn't work for him if the interface name had e.g. "admin" in it. I
don't see how that makes the interface "horrible".

> If our D-Bus rules file get big then this is the price we have to pay
> for a nice clean interface. And I am gladly to paying this price then.

So having a rule for each method is ok? This is quite easily doable in
the config file (although the file will become bigger and more difficult
to maintain).

Johan


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Device configuration permissions

[Marcel Holtmann]

Hi Johan,

> > sorry, but both are the wrong approaches. I don't wanna dictate the
> > security settings through the interface names and especially not with
> > keywords like "admin", "protected" etc. This is the wrong approach and
> > makes the interface really horribly, because the user shouldn't care
> > that much about it.
> 
> IMHO it would make it easier for the user to understand why some method
> doesn't work for him if the interface name had e.g. "admin" in it. I
> don't see how that makes the interface "horrible".

because if people try to use another security policy/rules, then the
names "admin" etc. are still present even if in their case these are no
longer commands where you need special rights. Don't try to dictate
security rules through the interface. We can split the interface in
logical parts, but not only for the reason of writing easy rules.

> > If our D-Bus rules file get big then this is the price we have to pay
> > for a nice clean interface. And I am gladly to paying this price then.
> 
> So having a rule for each method is ok? This is quite easily doable in
> the config file (although the file will become bigger and more difficult
> to maintain).

The same argument goes with SELinux. This will be something we have to
live with.

Regards

Marcel




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Device configuration permissions

[Johan Hedberg]

> > IMHO it would make it easier for the user to understand why some method
> > doesn't work for him if the interface name had e.g. "admin" in it. I
> > don't see how that makes the interface "horrible".
> 
> because if people try to use another security policy/rules, then the
> names "admin" etc. are still present even if in their case these are no
> longer commands where you need special rights. Don't try to dictate
> security rules through the interface. We can split the interface in
> logical parts, but not only for the reason of writing easy rules.

Ok. That sounds sensible :-) Thanks for the explanation!

Johan


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel