[arch-dev-public] Dbus on archlinux and permissions
I'm planning to update dbus to the latest release. Reading the releasenotes, I found this: Due to a security issue (CVE-2008-4311) for which a large number of system services need fixes, the dbus 1.2 stable branch has been split into two streams. The "1.2.4Xpermissive" branch originates from 1.2.4, and maintains the unintended permissive default for messages. Releases 1.2.6 and later have a default deny. It is intended that the permissive branch only be used temporarily by vendors. For more information, see this mail: http://lists.freedesktop.org/archives/dbus/2008-December/010769.html I would like to package the 1.2.4.4permissive release now. As soon as it's moved into core, I would like to add the non-permissive version to testing and see what breaks. Doing so, we can close down this security leak in dbus and have all affected services fixed.
Jan de Groot schrieb:
As soon as it's moved into core, I would like to add the non-permissive version to testing and see what breaks. Doing so, we can close down this security leak in dbus and have all affected services fixed.
I think we can start closing down services even now, as the new dbus gives you several warnings (from auth.log): Mar 9 09:27:23 artin dbus-daemon: Would reject message, 1 matched rules; type="method_call", sender=":1.11" (uid=1000 pid=4903 comm="kded4 ") interface="org.freedesktop.Hal.Device.CPUFreq" member="GetCPUFreqAvailableGovernors" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=4373 comm="/usr/sbin/hald ")) I can post a complete list if these are useful in any way.
On Mon, 2009-03-09 at 09:31 +0100, Thomas Bächler wrote:
Jan de Groot schrieb:
As soon as it's moved into core, I would like to add the non-permissive version to testing and see what breaks. Doing so, we can close down this security leak in dbus and have all affected services fixed.
I think we can start closing down services even now, as the new dbus gives you several warnings (from auth.log):
Mar 9 09:27:23 artin dbus-daemon: Would reject message, 1 matched rules; type="method_call", sender=":1.11" (uid=1000 pid=4903 comm="kded4 ") interface="org.freedesktop.Hal.Device.CPUFreq" member="GetCPUFreqAvailableGovernors" error name="(unset)" requested_reply=0 destination="org.freedesktop.Hal" (uid=0 pid=4373 comm="/usr/sbin/hald "))
I can post a complete list if these are useful in any way.
I wasn't aware of this change, but it's certainly useful. This helps us to fix permissions before we break random things by pushing a new dbus version to testing :) Please create a bugreport, assign it to me, and add all the log entries you see.
participants (2)
-
Jan de Groot
-
Thomas Bächler