Anonymous auth method is broken

Schmottlach, Glenn glenn.schmottlach at
Mon Feb 2 05:31:15 PST 2009

Hi -

I reported that the <allow_anonymous/> patch didn't work back in
November. It looks like I applied it (to what was then the current DBus
head) before Colin reverted the patch. Since then I haven't had a chance
to test it with the 1.2.12 release and Peter Wurtz's patch to re-enable
the <allow_anonymous/> tag in the configuration file. If I get a chance,
I'll try to re-investigate it this week and provide further feedback. If
Peter's patch does work, I hope it will be considered for inclusion with
future releases.



-----Original Message-----
From: havoc.pennington at [mailto:havoc.pennington at] On
Behalf Of Havoc Pennington
Sent: Sunday, February 01, 2009 4:22 PM
To: Schmottlach, Glenn
Cc: dbus at
Subject: Re: Anonymous auth method is broken


On Sun, Feb 1, 2009 at 4:17 PM, Schmottlach, Glenn
<glenn.schmottlach at> wrote:
> So, it boils down to the fact that I'm inherently lazy. I have a
reference dbus-daemon implementation that does 99.9% of what I want it
to do. The 0.1% that is missing is being able to TCP/IP into the daemon.
I'd rather not write a completely new daemon to implement this
functionality. It's unfortunate that this feature could not be added but
disabled by default (via the configuration file) to eliminate the
obvious security hole. I'm sure I wouldn't be the only embedded
developer who would appreciate this feature on the reference

A config flag <allow_anonymous/> with docs in 'man dbus-daemon' saying
that it is (obviously) insecure makes some sense to me, if it's just a
debug feature.
It looks like the patch on the bug already does this  (well, minus
docs). Does that patch work for you guys?

Someone said on the bug that it does not seem to work:
Anyway, so that may need some debugging. I would add any fixes to the
patch or observations on whether it works as comments on the bug:


More information about the dbus mailing list