session dbus for root user.
Simon McVittie
smcv at collabora.com
Wed Aug 15 12:42:32 UTC 2018
On Wed, 15 Aug 2018 at 11:42:18 +0200, René J.V. Bertin wrote:
> If that's not what you're doing but you have problems connecting to
> a session dbus when using sudo, try to figure out how to preserve the
> DBUS_SESSION_BUS_ADDRESS variable through the sudo call, and if that's
> good enough for your purposes.
This will not work: the session bus only allows the matching uid to
connect. (We don't special-case uid 0 when checking for a matching uid,
to keep things simple and easy to audit.)
If you are using sudo, su, pkexec or equivalent to escalate privileges
from an ordinary user to root, then you should not attempt to connect
root processes to the ordinary user's session bus. Session bus clients
normally trust the session bus, but if a root session bus client trusts
the ordinary user's session bus, then the ordinary user's session bus
would probably be able to escalate to the privileges of the client,
which defeats the purpose of separating privileges.
If you must, you can drop privileges from root back to the real user
and connect that privilege-dropped process to the session bus.
smcv
More information about the dbus
mailing list