[RFC] Fixing the machine id

Kay Sievers kay.sievers at vrfy.org
Sat Mar 5 10:59:28 PST 2011


On Sat, Mar 5, 2011 at 16:12, David Zeuthen <zeuthen at gmail.com> wrote:
> On Sat, Mar 5, 2011 at 9:46 AM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
>>> using the abstract socket is bad for security since you have no
>>> permission checks anymore. And essentially anybody could start owning
>>> that socket. You do not really want that.
>>
>> Well, the system bus socket is accessible by everybody anyway, and
>> authentication is based on SCM_CREDENTIALS mostly anyway.
>
> Doesn't matter. The message bus client process does not check the
> credentials of the message bus process (in libdbus-1 and GDBus anyway)
> - only the message bus process checks the credentials of the client.
> So, yes, it's entirely possible for any random process to take over
> this abstract socket and pretend to be the system message bus. Of
> course the system message bus would need to somehow crash and that
> rarely happens.
>
> We could add bilateral authentication, sure, but that's just not how
> it works right now.

But we bind the socket with pid 1, and pass it to D-Bus at service
startup, don't we? Even if D-Bus crashes, it should not be a problem,
because no other process can ever take that over. Am I missing
something?

Kay


More information about the dbus mailing list