discuss-gnustep
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security in the distributed object system

From: Derek Zhou
Subject: Re: security in the distributed object system
Date: Mon, 14 Apr 2003 10:46:09 -0800
User-agent: KMail/1.5.1 
On Sunday 13 April 2003 11:05 pm, you wrote:
> 1. You can design your server object to only respond to methods you
> want to make public.
Right now, we don't have any sandbox mechanism. Also, Objc provides
extra ropes like selector, invocation and forwarding to hang ourselves. 
It is very easy to make mistake.
>
> 2 You can impose some sort of login mechanism as you suggest
Good login machanism is hard to make right. Not only the server needs
to authenticate the client, the client also needs to authenticate the server 
to make sure it is not a Trojan horse. Kerberos? My brain is going to 
explode.
>
> 3. Your delegate can use the authenticationComponents:withData: and
> authenticationdataForComponents: methods to authenticate (or even
> handle encryption of) all the messages sent over the connection.
Again, it is hard to do it right. It also adds extra overhead to the message 
processing. 
>
> > Why not to use Unix domain socket instead? Ok, it is not distributed
> > anymore
>
> Yes that's the *BIG* reason.
Which part in the core gnustep requires a true distributed system? All I can 
find is IPC, like pasteboard, gdnc. Do you really want other people on the 
network to copy to your pasteboard? Can you imagine the kid next door doing  
a DoS attack on your pasteboard server and you cannot copy & paste?
>
> >  but at least it provide a simple way (file permission) to limit
> > access to the server. I think a lot of people just want to do fancy
> > secure IPC. How about provide both (tcp and unix domain) so that
> > everybody is happy?
>
> There are plans to do that ... but since options 1 and 3 are so easy,
> I don't think it's high priority (especially as the use of unix domain
> sockets is no protection against local attacks).
AFAIK, With Unix domain socket I can set the file permission to only allow 
process with the same uid to connect. Also I can stat the socket before 
connecting to it to see if it is created by the same uid. That is a big 
protection against local attack. If there was a malicious process running 
under your uid, you were screwed anyway.
Derek
reply via email to
[Prev in Thread] Current Thread [Next in Thread]