Some odd issues with D-Bus on Solaris
Artem Kachitchkine
Artem.Kachitchkin at Sun.COM
Tue Sep 4 20:14:03 PDT 2007
>> I can see in the configure.in script that the default value is messagebus,
>> so I'm guessing D-Bus might want the system to have a new user and group of
>> this name? Are there any issues with just using root?
>
> It is substantially less secure all else equal. The "messagebus" user
> is intended to be a "nobody" type of user with no permissions to do
> anything; so if there were a buffer-overflow type exploit in
> dbus-daemon, the attacker would need to then additionally use
> dbus-daemon to exploit something else, since gaining user "messagebus"
> is not very useful. However, if you run dbus-daemon as root, then
> exploiting dbus-daemon is good enough on its own.
Solaris does that without nobody accounts, but using the least privilege
framework: basically a process can run as root, but have no root
privileges in the traditional UNIX sense. In more practical terms,
dbus-sysdeps-util-unix.c:_dbus_change_identity() needs a
Solaris-specific implementation.
> The dbus-daemon-launch-helper is used to start up a systemwide daemon
> and set that daemon to an appropriate user ID.
This will also need a Solaris-specific implementation, based on the
combination of the least privilege and RBAC (role-based access control).
I would recommend Brian to get help from Sun's security folks.
-Artem
More information about the dbus
mailing list