D-Bus on non-Linux Unix, and on Linux with LSMs

Simon McVittie simon.mcvittie at collabora.co.uk
Thu Oct 10 05:51:49 PDT 2013

On 10/10/13 13:20, Simon McVittie wrote:
> In particular, users of non-Linux Unix: please test this release if you
> want your platform to remain supported. I'll reply with more info on that.
>   · Remove broken support for LOCAL_CREDS credentials passing, and
>     document where each credential-passing scheme is used (fd.o #60340,
>     Simon McVittie)

I noticed while investigating a portability bug that D-Bus theoretically
supported LOCAL_CREDS, originally for NetBSD's benefit; but it appeared
to have regressed as long ago as 2009, and no longer even compiled on
NetBSD. The NetBSD "port" applied a bunch of fairly extensive patches,
which introduced an entirely new credentials-passing scheme. I don't
intend to pick on NetBSD here: this is a general problem for any
platform that doesn't have anyone who regularly tests or contributes to
upstream D-Bus.

I deleted the broken LOCAL_CREDS support (it turned out to be redundant
with getpeereid()), but I can't put lots of time into testing and
debugging new mechanisms.

If you maintain a D-Bus fork for a non-Linux Unix platform, please send
patches upstream to us, and respond to review comments / requests for
changes so they can be applied. If patches don't get to
bugs.freedesktop.org, we will probably never find out about them, and
we'll end up either wasting a lot of time trying to support and preserve
code that doesn't actually even work, or just giving up and deleting
everything we don't understand the need for. Worst case, the local
patches in a D-Bus fork might look reasonable to non D-Bus specialists,
but introduce a subtle security flaw on your platform - we don't want that.

>From my point of view, Linux with security modules (LSMs, like SELinux
and Smack) is like a separate Unix that closely resembles Linux. Again,
if you want D-Bus to work optimally on Linux-with-LSMs, the onus is on
you to test it, send patches upstream, and respond to review: the "core"
D-Bus maintainers are not LSM specialists, and are not going to test
everything on your favourite LSM.

As an arbitrary age cutoff that makes a reasonable amount of sense
(borrowed from Ralf's policy for D-Bus on Windows), I'm willing to
review portability patches for any Unix that has active security support
from its vendor. I don't guarantee to apply them if they have problems
(including making D-Bus less maintainable, or making things worse for
other OSs) but I'll at least consider it. I'll tend to give higher
priority to OSs that are their vendor's current stable release (e.g.
Debian 7) than OSs that are outdated-but-still-supported (e.g. Debian 6,
at the moment).

Another request for people on non-Linux Unix: please, please, run the
tests. If they fail, help us to make them pass, rather than ignoring
them. They're there for a reason! For instance, I recently fixed a test
that asserted that the process ID is sent through credentials-passing.
That test can't possibly have passed on any platform that relies on
getpeereid() (which passes the euid/egid only).


More information about the dbus mailing list