Some odd issues with D-Bus on Solaris

[Artem Kachitchkine]

>> I can see in the configure.in script that the default value is messagebus,
>> so I'm guessing D-Bus might want the system to have a new user and group of
>> this name?  Are there any issues with just using root?
> 
> It is substantially less secure all else equal. The "messagebus" user
> is intended to be a "nobody" type of user with no permissions to do
> anything; so if there were a buffer-overflow type exploit in
> dbus-daemon, the attacker would need to then additionally use
> dbus-daemon to exploit something else, since gaining user "messagebus"
> is not very useful. However, if you run dbus-daemon as root, then
> exploiting dbus-daemon is good enough on its own.

Solaris does that without nobody accounts, but using the least privilege 
framework: basically a process can run as root, but have no root 
privileges in the traditional UNIX sense. In more practical terms, 
dbus-sysdeps-util-unix.c:_dbus_change_identity() needs a 
Solaris-specific implementation.

> The dbus-daemon-launch-helper is used to start up a systemwide daemon
> and set that daemon to an appropriate user ID.

This will also need a Solaris-specific implementation, based on the 
combination of the least privilege and RBAC (role-based access control).

I would recommend Brian to get help from Sun's security folks.

-Artem