about using privileged (KAuth) helpers: system dbus daemon on OS X?

Simon McVittie simon.mcvittie at collabora.co.uk
Fri Sep 23 10:24:16 UTC 2016 

On 19/09/16 21:10, René J.V. Bertin wrote:
> Would it be a bad idea to modify _dbus_lookup_launchd_socket() so it uses getenv()
> to check if DBUS_STARTER_BUS_TYPE is set to system and if so return the value of
> DBUS_STARTER_ADDRESS ?

This would almost certainly be a bad idea. A given address string (for
example launchd:) should have a well-defined meaning. You appear to be
giving it two meanings: either the launchd-derived address for the
session bus, or the launchd-derived address for the system bus. Please
don't do that.

Firstly, I'd like to reiterate Thiago's comments about the system bus
not necessarily being appropriate on OS X. The primary purpose of the
system bus is to communicate with privileged infrastructure services in
the OS itself. On Windows and OS X, D-Bus is not part of the operating
system, so by definition any privileged infrastructure services that are
provided by the underlying OS have some other way for their clients to
communicate with them.

If you want to use launchd for a system bus, here's what you should do:

* double-check your design to make sure there is no way an unprivileged
  user can change the result to a malicious dbus-daemon controlled by
  them

* define either a new address family, launchd-system:, or a new
  parameter to the launchd address family, launchd:type=system (with the
  default for type being "session" to get the current behaviour)

* propose a branch that adds the system-supporting address family to
  both the D-Bus Specification and the reference implementation

However, I suspect that a better way to have a system bus on OS X, if
one is genuinely useful, would be to use a fixed Unix socket address in
a directory controlled by the sysadmin and unavailable to ordinary
users, just like what's done on other Unix platforms. You can already do
this: make your system bus listen on
${localstatedir}/run/dbus/system_bus_socket (where ${localstatedir} is
the argument to ./configure --localstatedir). Or if that's an unsuitable
address for some reason, you can override the assumed system bus socket
filename directly, like this:

    ./configure --with-system-socket=/Library/dbus/system_bus_socket

If you want to change the defaults in configure.ac so that a plain
"./configure" does the right thing, please talk to other users of D-Bus
on Darwin and OS X (Homebrew, Fink, etc.) to reach consensus, cc'ing
this list; then propose a patch implementing and documenting the
consensus decision.

-- 
Simon McVittie
Collabora Ltd. <http://www.collabora.com/>

More information about the dbus mailing list