Anonymous auth method is broken
Schmottlach, Glenn
glenn.schmottlach at harman.com
Mon Feb 2 05:31:15 PST 2009
Hi -
I reported that the <allow_anonymous/> patch didn't work back in
November. It looks like I applied it (to what was then the current DBus
head) before Colin reverted the patch. Since then I haven't had a chance
to test it with the 1.2.12 release and Peter Wurtz's patch to re-enable
the <allow_anonymous/> tag in the configuration file. If I get a chance,
I'll try to re-investigate it this week and provide further feedback. If
Peter's patch does work, I hope it will be considered for inclusion with
future releases.
Thanks,
Glenn
-----Original Message-----
From: havoc.pennington at gmail.com [mailto:havoc.pennington at gmail.com] On
Behalf Of Havoc Pennington
Sent: Sunday, February 01, 2009 4:22 PM
To: Schmottlach, Glenn
Cc: dbus at lists.freedesktop.org
Subject: Re: Anonymous auth method is broken
Hi,
On Sun, Feb 1, 2009 at 4:17 PM, Schmottlach, Glenn
<glenn.schmottlach at harman.com> wrote:
> So, it boils down to the fact that I'm inherently lazy. I have a
reference dbus-daemon implementation that does 99.9% of what I want it
to do. The 0.1% that is missing is being able to TCP/IP into the daemon.
I'd rather not write a completely new daemon to implement this
functionality. It's unfortunate that this feature could not be added but
disabled by default (via the configuration file) to eliminate the
obvious security hole. I'm sure I wouldn't be the only embedded
developer who would appreciate this feature on the reference
implementation.
A config flag <allow_anonymous/> with docs in 'man dbus-daemon' saying
that it is (obviously) insecure makes some sense to me, if it's just a
debug feature.
It looks like the patch on the bug already does this (well, minus
docs). Does that patch work for you guys?
Someone said on the bug that it does not seem to work:
http://lists.freedesktop.org/archives/dbus/2008-November/010632.html
Anyway, so that may need some debugging. I would add any fixes to the
patch or observations on whether it works as comments on the bug:
http://bugs.freedesktop.org/show_bug.cgi?id=15393
Havoc
More information about the dbus
mailing list