Starting the kdbus discussions

Simon McVittie simon.mcvittie at collabora.co.uk
Fri Jan 3 04:45:51 PST 2014 

On 02/01/14 19:40, Colin Walters wrote:
> Right, that is a serious concern.  Enough to make me wonder if GLib
> should have G_BUS_TYPE_KSYSTEM for example.

I think something like this is the only way this can possibly be
functional and secure. G_BUS_TYPE_SYSTEM_UNTRUSTED, perhaps?

> Perhaps an alternative is that if *any* files are installed
> in /etc/dbus-1/system.d that perform access control, then kdbus is
> disabled?  Ugly still.

I don't think that works. The system bus is default-deny: every service
that does not hard-depend on kdbus *must* install policy XML, otherwise
it will be non-functional. Installing more policy XML punches *more*
holes in the secure, but non-functional, default-deny policy.

Assuming that system services want to be able to upgrade from a dbus
environment to a kdbus environment without a distro-wide flag day,
they'll need to keep installing their policy XML until they no longer
support *upgrading from* non-kdbus systems.

In practice, since kdbus is recent-Linux-specific, it seems desirable to
have a solution where it is harmless for portability-minded upstreams to
continue to install policy XML, which will still be needed on old-Linux
or non-Linux. Linux-only system integrators who no longer support
upgrading from a non-kdbus system could safely delete it to save some
disk space, of course.

> Another option is to punt to the system builder; GLib would have a
> compile-time option --enable-kdbus, and any system builder using
> this would take responsibility for ensuring that no GDBus-using clients
> are installing DBus XML policy.

I would personally not only reject this patch, but distrust a project
that would accept it (at least without a rename to
--enable-insecure-kdbus-policy or something else that indicates its
security implications). This can only be secure on a system that is
locked-down even by embedded standards, such that no third-party
privileged service can ever be installed; it's inappropriate for
general-purpose OSs like, say, Fedora.

    S

More information about the dbus mailing list