On Mon, 2013-08-05 at 19:23 +0000, Kanavin, Alexander wrote:
> Let me highlight this observation here and ask: is this kind of
> control by executable path really useful on a normal Linux desktop? I
> believe GNOME Keyring had something like that in the past and moved
> away from it because it didn't not add any real security.
> In this case, with gSSO, it really gets in the way.
For testing purposes I think you can bypass this check by a) compiling gsignond with
b) setting SSO_KEYCHAIN_SYSCTX environment variable to the path+name of the executable -
that's how we run unit tests.
Is that extra complexity really useful?
Can I relax access and allow a set of apps sharing the identity? I
noticed a "security context" parameter in the API. Currently I am
passing NULL there.
I also don't understand how that fits with the single CredentialsId that
gets stored in accounts (see discussion with Alberto). That means that
there is a single signond identity that all apps using a certain
provider (not service!) are meant to use. Won't that fail when there is
a per-app access control on the identity?
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.