about using privileged (KAuth) helpers: system dbus daemon on OS X?
René J.V. Bertin
rjvbertin at gmail.com
Mon Sep 19 00:30:22 UTC 2016
On Sunday September 18 2016 16:57:48 Thiago Macieira wrote:
> I have no idea what other kind of helper there may be. There's only "dbus-
> daemon-launch-helper", which is setuid root, but setuids to the service's
> user. The launched service only sees its own UID, never 0.
There's too much room for confusion here: dbus-daemon-launch-helper the helper for DBus, and the process that implements the service which is (or can act as) a helper for the actual operation that is to be done.
> > So we have a user application (say, ksysguard) that calls DBus routines to
> > launch a privileged helper process (ksysguardprocesslist_helper), a master
> That's not how it works. An application asks for a service, like org.bluez. If
> there's a .service file that matches that, it specifies the executable name
> along with the user ID to run under. Then dbus-daemon runs dbus-daemon-launch-
> helper and that will setuid, clean the environment, then exec the target
Not to contradict you, but that looks almost exactly like what I tried to describe in different words...
> No, that's the UID for dbus-daemon running as the system bus. The helper runs
> as root, then setuid()s, as described above.
>From what I've seen the helper binary must be owned root and have the setuid bit set, so that when it launches it has uid=messagebus and euid=root.
> > If the privileged helper (slave) is supposed to connect to the system dbus
> > when launched via dbus-daemon-helper-tool, how/why does it do so on Linux?
> The helper does not connect to the any bus. The executable that it launches is
> expected to connect ot the system bus, as described above.
Again, that's the helper I meant, not the dbus helper.
Is it roughly correct to say that on Linux an application will try to connect on the system bus if it doesn't find a session bus address?
More information about the dbus