The fate of Upstart

Enrico Weigelt, metux IT consult enrico.weigelt at gr13.net
Thu Dec 4 14:00:17 UTC 2014 

On 03.12.2014 23:32, Vittorio wrote:

> If really you could succeed in getting rid of polkit and dbus, that
> would be a very good work.
> I completely agree with you. Polkit has given me a lot of headaches.

Well, you're welcomed to join me :)

I'll yet have to sort out certain conceptional issues regarding
authentication.

For now, I'm pretty clear that it will be something 9P and factotum
based and shall be compatible with the usual Plan9 ways (so it's
also suited for distributed systems).

But I haven't sorted out, who exactly will maintain the sessions
(and session keys), and how to do service startup and mounting,
especially regarding the differences between Linux and Plan9.

My current thoughts go like this:

* user services visible to some user can be expected to be posted
  within some directory in his home directory. perhaps this will
  directory will be configurable via env (to support multiple
  sessions w/o separate namespaces)
* system services are posted in some global (world readable dir)
* maybe: those which are accessible to some user are also symlinked
  to his home / session dir
* traditional group-based access controls can be used here
* for finer access control, services can be authenticated via
  factotum (user and host factotum)
* an separate control agent (maybe acting on user login, eg. via
  pam, etc) generates keys for system services and adds them
  to host factotum, so system services can be accessed by them
* users that should be allowed to access them also get the
  corresponding keys into their user / session factotum, so
  it can authenticate
* in case we really need a hard separation between sessions
  (so session privileges cannot be stole by the same user,
  into other sessions), we can run the session factotums
  under a different uid and configure it to never tell
  secrets

uhm, I might expect too much Plan9 knowledge here ... sorry for that ;-o

maybe we should get into deeper discussion on the 9fans list.


cu
--
Enrico Weigelt,
metux IT consulting
+49-151-27565287

More information about the Ubuntu-devel-discuss mailing list