$Id: TODO,v 1.6 2003/03/26 17:52:40 twogood Exp $

TODO for dccmd
==============

o Use tcpwrappers

o Allow connect/disconnect scripts to run slow

o Use SIGUSR1 and not SIGHUP

o Send signal to PID only, not with "killall"

o Multi-user support. Maybe something like this:

From: 	  Michael Jarrett <msjarret@engmail.uwaterloo.ca>
To: 	    synce-devel@lists.sourceforge.net
Subject: 	Re: [Synce-devel] dccm security considerations
Date: 	  Wed, 26 Mar 2003 01:27:54 -0800	

I personally think a different structure altogether is needed once you start 
thinking of multiple devices, though not necessarily for security reasons. A 
good example of the problems multiple devices creates is the simple fact that 
different users could want to sync devices simultaneously, which is difficult 
with a user-run daemon fighting over port 5679.

Random thought coming through:
- Have a device daemon, which runs at system startup. Not neccessarily as 
root, though running as root does have the advantage that the daemon can then 
manipulate PPP connections.
- Individual users connect to this daemon, either on login, on starting X, or 
by whatever panel applet. Connection is made through TCP sockets, a UNIX 
socket or pipe, or <insert favourite form of IPC here>.
- Each user, on connection to the daemon, specifies which devices that user 
wishes to interact with, and the passwords needed to sync. The daemon will 
allow or deny this based on a security policy and requests of other users.
- The daemon maintains the 5679 port for all devices. I do not think binding 
to individual interfaces would be useful (can you even bind the same port on 
separate interfaces independently?). Rather, some sort of hosts.allow system 
as was suggested earlier.
- The daemon can be told to bring up certain connection types. Ie: 
synce-serial-connect would in fact just send a command to the daemon, which 
would do the work to establish a PPP connection itself. Of course, it could 
adjust its hosts.allow file if neccessary. A file in /etc would specify what 
users/groups were privileged to start various connections.
- If no user has registered to sync with a device, the daemon can either 
reject the device entirely, or if no password is set, hold the connection 
open.
- If a user successfully is connected to a device, a file with the IP is 
written somewhere in their home directory. Scripts are also run. The daemon 
either needs root privileges, or the user sets the required files to be 
readable/writable by the daemon. Alternatively, that connection used for the 
user to specify what devices to sync with, could notify the user that a 
device has connected.

While a real pain to implement, this approach has the advantage of allowing 
many devices to connect to the same desktop, and communicate with a variety 
of users in a secure manner. It also gives the system administrator more 
fine-grained control.


