Help: connect to different dbus session addresses

Simon McVittie smcv at collabora.com
Tue Feb 7 19:50:53 UTC 2023


On Mon, 28 Nov 2022 at 16:46:51 +0100, Joan Torres wrote:
> How can I make a system daemon running as gdm user connect to any user
> dbus session to start a unit service using systemd1 dbus API? Is there a
> way using dbus rules?

Sorry, this is not how D-Bus is designed to work.

The session bus is not designed to act as a security boundary (anyone
who can connect to it can do anything, unless prevented by a filtering
proxy like xdg-dbus-proxy), so if a system user is able to connect to
a session bus, then they can induce the owner of that session bus to run
arbitrary code.

If a system user can run arbitrary code as various different user
accounts, then that user is trusted, in the security sense of the word:
it is technically able to evade your security policy. That basically
makes it root. The usual Unix model is that the ability to bypass your
security policy is reserved for uid 0.

On Mon, 28 Nov 2022 at 17:00:53 +0100, Zeeshan Ali Khan wrote:
> Why not have a session service setup to start automatically on each
> session start?

That's the way this sort of thing is normally done on D-Bus: code that
is "owned" by the user runs as part of the session, and connects to the
system bus to do whatever coordination is necessary.

    smcv


More information about the dbus mailing list