Yesterday I little thinking about this security issue and maybe I find quite good solution. Current problem is that quite big part of code is executed by user which has strong permissions (yastws). And this code is bigger then it looks like. It is not only rest-backend code, but also rails code and ruby code. So if some security issue is find in ruby or in rails webyast is still affected. My solution is use ticket system. DBus interface provide authentification call which authorize user and return one-time random authentification ticket which identify this user. And then all calls to dbus interface pass additional parameter authentification ticket and then dbus interface check user belonging to this ticket. Advantages: - yastws doesn't have any special permission only can try get authentication ticket - ticket is one-time so sniffing without immediate ticket usage is useless - even if ticket is used immediately by attacker then it still have only permission of authenticated person - it is possible to separate user in webyast and in system - It can be separated from plugin and do it in background Disadvantage - It need another interface to module which add special parameter to call - password must be somehow passed (but I think that current version also pass it from frontend to backend and this only add pass from backend to dbus) JR -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org