[RFC] Making D-Bus suitable for being run early during boot

David Zeuthen zeuthen at gmail.com
Fri Jul 9 11:42:13 PDT 2010


Hi,

On Fri, Jul 9, 2010 at 12:28 PM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
> Abstract namespace sockets are a fine choice for priviliged code that
> runs so early at boot that no user could invade its namespace.

No, it's not generally fine at all because said process might crash
(or get nuked by the OOM killer or whatever) and then someone else
could grab the socket. Of course you could say that anyone connecting
to the socket needs to check the credentials of the other end but you
could also just stop using the abstract namespace in the first place
and avoid the problem earlier. Either way, please be careful saying
things like this as people will end up doing it and then they have a
potential security-problem on their hand. And lots of extra work to
fix it.

> The reason why I want the abstract socket is that it works regardless
> whether any fs is writable, and hence can be bound from the moment on
> userspace exists. The only other place I could think of that is writable
> this early is /dev/shm, but overloading that dir this way doesn't look
> like an awesome solution to me.

I think it's too late to change anyway.

     David


More information about the dbus mailing list