felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Pauls <karlpa...@gmail.com>
Subject Re: Security & Felix bundles
Date Thu, 14 Mar 2013 09:24:29 GMT
On Thu, Mar 14, 2013 at 8:18 AM, Felix Meschberger <fmeschbe@adobe.com>wrote:

> Hi,
>
> Am 13.03.2013 um 23:16 schrieb Karl Pauls:
>
> >>    Is it planned to add permissions file into Felix subprojects bundles
> >> (Config Admi, Event Admin, etc.)?
> >>
> >
> > Planned, no. Not at this point - however, I'm sure contributions are more
> > than welcome. If you want to create some permission files and give them
> to
> > use I'm sure we are more than happy to integrate them.
>
> Please excuse my ignorance: Would adding permission files mean, we would
> have to sign the bundles ?
>

Not necessarily, no.

The point is that in this model, it makes sense to give allpermission to
bundles and rely on the limits in their permissions.perm files. This can be
convenient  (if anything is when security is used ;-) as one only has to
look at the permissions requested in the permissions.perm to decide if a
bundle is save to install and no further policy needs to be changed -
provided, one can rely on the fact that the bundle hasn't been tampered
with (or at least, the permission.perm file hasn't been changed or removed
completely).

In other words, for this to work you need,

a) a correct permissions.perm file (hopefully only requesting the minimal
set of needed permissions)  for (and in) each bundle, and
b) the bundle needs to be signed if you can't assume that nobody is able to
tamper with it.

In consequence, while the bundle ultimately probably has to be signed by
somebody, we don't _have to_ sign it just because we provide a
permissions.perm inside of it.

Figuring out the minimal set of permissions is hard. Signing a bundle and
giving allpermission to that cert might be effort but isn't the end of the
world -- hence, I'd argue that providing a permissions.perm with our
bundles is a value in itself. Signing them as well would be another value
add but isn't needed to make the former valuable.

regards,

Karl


> Regards
> Felix
>
> --
> Felix Meschberger | Principal Scientist | Adobe
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message