'Machine ID' underspecified?
Thomas Kluyver
thomas at kluyver.me.uk
Wed Dec 9 12:36:42 UTC 2020
I've made a pull request:
https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/198
I noticed that the systemd man page describing /etc/machine-id says:
> This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed...
I guess that normally dbus is a trusted environment, and all of the processes talking to it would typically be able to read /etc/machine-id anyway. But is it a potential cause for concern that this is exposed on every object? E.g. if you exposed a D-Bus proxy to the network which only accepted messages to certain bus/object names, should you also handle GetMachineId specially in the proxy to avoid exposing the 'confidential' ID?
Thomas
More information about the dbus
mailing list