Accessing Session Bus through the superuser

Thiago Macieira thiago at kde.org
Mon Mar 17 10:10:18 PDT 2008 

On Monday 17 March 2008 17:29:19 Avery Pennarun wrote:
> On Mon, Mar 17, 2008 at 8:02 AM, Thiago Macieira <thiago at kde.org> wrote:
> >  I still don't know of any good use-case to allow the root user -- or any
> > user for that matter -- to connect to a user's session bus. Besides, that
> > always brings the questions: which users? And which busses?
>
> I've run into this problem myself.  My use case: testing stuff.
> Sometimes, you're testing, and you're root, and you expect to be able
> to do anything you want, and the session bus randomly doesn't work.
> That's just weird.  root can do anything; that's the standard rule of
> Unix, and there's no advantage to breaking it here.
>
> It's not like security is enhanced by this restriction.  root can do
> anything, so if root wants, root can seteuid() to the "correct" user,
> connect successfully, and seteuid() back to root again.  So all this
> has done is create an inconvenience for legitimate users instead of
> blocking illegitimate users.

Not really. It prevents you from accidentally running an application as root 
and accessing your shared resources in your session. The application running 
as root would create files that the user cannot later modify.

But, as you say, it's very easy to circumvent for legitimate uses. So I'd 
rather keep the extra action necessary, to keep people from using it 
accidentally.

I think, however, the greatest benefit is preventing bad-style solutions. 
Every time someone posts to this mailing list asking how to connect to the 
session bus from outside the session, we end up finding a better solution for 
the problem. The most obvious solution isn't necessarily the most elegant.

> Since the session bus security model is so simple (correct uid == ok,
> incorrect uid == not ok), dbus-daemon might as well just use pure
> socket-level security to prevent access by unauthorized users on the
> session bus.  

There's no such protection in abstract sockets. That's the whole reason why 
the check was introduced in the first place.

> That would be one *less* place for a security hole: 
> unauthorized users would be blocked at the kernel level, and
> dbus-daemon would never have to know, *and* a useful error code would
> be returned when someone unauthorized tried to connect.  Right now, it
> just disconnects silently, making diagnosis very difficult.  I
> personally and several of my friends have been bitten by this.  If you
> haven't seen it before, it can take a long time to diagnose.

Right, but there's no such protection at the kernel level.

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/dbus/attachments/20080317/4278f42a/attachment.pgp

More information about the dbus mailing list