Fwd: Geoclue & permissions

Zeeshan Ali (Khattak) zeeshanak at gnome.org
Thu Apr 17 12:36:21 EDT 2014


Hi everyone,

I'm forwarding my short discussion with Jouni about permissions on
D-Bus interface, as per his suggestion to bring the discussion to this
list.

Forwarded conversation
Subject: Geoclue & permissions
------------------------

From: Zeeshan Ali (Khattak) <zeeshanak at gnome.org>
Date: Thu, Apr 17, 2014 at 4:14 PM
To: Jouni Malinen <jouni at qca.qualcomm.com>


Moi Jouni,

For wifi-geolocation in geoclue project[1], I'm currently using
NetworkManager for getting list of WiFis in the area. Someone
suggested that I use wpa_supplicant directly for greater portability
and adoption so I'm looking into that.

I see that you have restricted all of your D-Bus API to root user
only. Geoclue is supposed to typically run as a special user
('geoclue') without admin preveleges so goeclue can't readily use
wpa_supplicant.

I see 3 options:

1. Geoclue installs a dbus policy file that gives its user permissions
on needed API.
2. wpa_supplicant give permissions in its policy file to geoclue user
specifically.
3. wpa_supplicant give permissions to readonly API (getting list of
interfaces, BSSs etc) to everyone.

I'm going to go for #1 for now but keeping in mind that its likely not
to work in post-kdbus world, I thought I should consult you on this.

--
Regards,

Zeeshan Ali (Khattak)
FSF member#5124

[1] http://www.freedesktop.org/wiki/Software/GeoClue/

----------
From: Jouni Malinen <jouni at qca.qualcomm.com>
Date: Thu, Apr 17, 2014 at 4:40 PM
To: "Zeeshan Ali (Khattak)" <zeeshanak at gnome.org>


On Thu, Apr 17, 2014 at 04:14:35PM +0100, Zeeshan Ali (Khattak) wrote:
> For wifi-geolocation in geoclue project[1], I'm currently using
> NetworkManager for getting list of WiFis in the area. Someone
> suggested that I use wpa_supplicant directly for greater portability
> and adoption so I'm looking into that.
>
> I see that you have restricted all of your D-Bus API to root user
> only. Geoclue is supposed to typically run as a special user
> ('geoclue') without admin preveleges so goeclue can't readily use
> wpa_supplicant.

You may want to bring this up on the hostap mailing list. I did not
design the D-Bus API or the permissions set in the configuration file
for this.

> I see 3 options:
>
> 1. Geoclue installs a dbus policy file that gives its user permissions
> on needed API.
> 2. wpa_supplicant give permissions in its policy file to geoclue user
> specifically.
> 3. wpa_supplicant give permissions to readonly API (getting list of
> interfaces, BSSs etc) to everyone.
>
> I'm going to go for #1 for now but keeping in mind that its likely not
> to work in post-kdbus world, I thought I should consult you on this.

I'm not using the D-Bus interface that much myself, but if (3) can be
done easily and safely, that sounds like a reasonable approach to me.
Anyway, this should be discussed with the people who use the D-Bus
interface, so the hostap mailing list would be more appropriate
destination for this.

--
Jouni Malinen                                            PGP id EFC895FA




-- 
Regards,

Zeeshan Ali (Khattak)
FSF member#5124


More information about the HostAP mailing list