[RFC] remove <allow_anonymous/> from dbus config?

Simon McVittie simon.mcvittie at collabora.co.uk
Mon Sep 9 03:45:33 PDT 2013

On 09/09/13 02:58, Yang Chengwei wrote:
> If <auth>ANONYMOUS</auth> configured or no <auth> configured, then 
> ANONYMOUS auth mechanism is used, that means the user want to
> enable ANONYMOUS connections. However, in fact, to enable
> ANONYMOUS connections, one should config both
> <auth>ANONYMOUS</auth> and <allow_anonymous/>. Some kind of
> duplicated.

<auth>ANONYMOUS</auth> is about authentication: ANONYMOUS is a
standard SASL authentication mechanism in which you say "I am
anonymous" and the server says "OK".

<allow_anonymous/> is about authorization: it determines whether a
connection that has said "I am anonymous" is allowed to remain connected.

The difference between authentication and authorization is discussed
in <https://bugs.freedesktop.org/show_bug.cgi?id=39720>. The short
version is: suppose you are trying to connect to my session bus. If
you say "I am Chengwei Yang and here are the Unix credentials that
prove it", and my session bus responds "yes, but only Simon is allowed
to connect to this bus", that's an authorization failure. If you say
"I am Simon McVittie", the bus asks you to prove it, and you can't,
then that's an authentication failure.

> Should we remove <allow_anonymous/> and just let user configure 
> ANONYMOUS auth mechanism if ANONYMOUS connections wanted?

As a general principle, I will not accept patches that make a
previously-secure configuration insecure.

I think it's OK for enabling anonymous connections to take several
steps, because they're only appropriate in unusual situations. If
nothing else, requiring more configuration forces the administrator to
think a bit more about what they're doing.


More information about the dbus mailing list