Bug 15393 - [patch] Allow anonymous authorization
Summary: [patch] Allow anonymous authorization
Status: RESOLVED FIXED
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: 1.3.x (devel)
Hardware: All All
: low enhancement
Assignee: Havoc Pennington
QA Contact: John (J5) Palmieri
URL:
Whiteboard:
Keywords: NEEDINFO
Depends on:
Blocks:
 
Reported: 2008-04-07 13:22 UTC by Dennis Kaarsemaker
Modified: 2013-11-20 13:17 UTC (History)
5 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Allow anonymous users (4.79 KB, patch)
2008-04-07 13:22 UTC, Dennis Kaarsemaker
Details | Splinter Review
Allow anonymous users (dbus 1.2.12) (4.54 KB, patch)
2009-02-01 20:28 UTC, Peter Würtz
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Dennis Kaarsemaker 2008-04-07 13:22:28 UTC
Created attachment 15743 [details] [review]
Allow anonymous users

Dbus supports an anonymous authentication mechanism, but after succesfully authenticating to the standard dbus daemon, authorization always fails. The attached patch adds a new config tag, <allow_anonymous/>, and the code to allow anonyomous users if this tag is spotted in the config.

The reason I created this, is that I want to use dbus as IPC between processes running on several hosts. And until a proper authentication mechanism for that is written (which is on my TODO list, but this was easier ;)) I will rely on host-based authentication (firewall) and want to use this.

Please consider including this in dbus.
Comment 1 Colin Walters 2008-11-12 05:53:43 UTC
Was tempted to say for this kind of thing "use DBusServer", but on the other hand we give one plenty of rope in the config file as is now.

Applied, thanks.

commit 07a4ad4b04702fc384b324e5f902a5b2279b0c25
Author: Dennis Kaarsemaker <dennis@kaarsemaker.net>
Date:   Wed Nov 12 08:51:00 2008 -0500

    Bug 15393 - support allow_anonymous config variable
    
    	* bus/bus.c: Set allow_anonymous if specified from
    	parser.
    	* bus/config-parser.c: Parse it.
    	* bus/config-parser-common.h: Declare it.
    
    Signed-off-by: Colin Walters <walters@verbum.org>

Comment 2 Colin Walters 2009-01-06 15:47:05 UTC
So from the mailing list discussion:
http://lists.freedesktop.org/archives/dbus/2008-November/010632.html

it sounds like this patch doesn't work as intended.  I don't have time at the moment to look into it myself; but I would like to reduce the differences between dbus-1.2 (where this patch is not applied) and master.  

So, does anyone mind if I revert this patch until we've worked through the issues?
Thanks.
Comment 3 Havoc Pennington 2009-01-31 12:04:27 UTC
Here's a ton of old discussion for future reference:

http://lists.freedesktop.org/archives/dbus/2007-November/009000.html
http://lists.freedesktop.org/archives/dbus/2007-November/009001.html
http://lists.freedesktop.org/archives/dbus/2008-August/010209.html
http://lists.freedesktop.org/archives/dbus/2008-August/010208.html
http://lists.freedesktop.org/archives/dbus/2008-July/010176.html
http://lists.freedesktop.org/archives/dbus/2008-August/010212.html

I still don't really see where someone has written down evidence they've thought through what happens security-wise with a patch like this.

Also, there's no unit tests. The ordeal around bus policies shows the potential consequences of that.
Comment 4 Peter Würtz 2009-02-01 20:28:13 UTC
Created attachment 22457 [details] [review]
Allow anonymous users (dbus 1.2.12)

dbus-daemon allows anonymous users if <allow_anonymous/> is set in the configuration file
Comment 5 Peter Würtz 2009-02-01 20:43:26 UTC
After patching the current release (dbus 1.2.12), I successfully connected a client to a remote dbus-daemon via tcp and retrieved the list of services on the bus with ListNames().

After removing <allow_anonymous/> from the daemon config file, the client is denied access as expected.
Comment 6 Colin Walters 2009-07-15 08:07:53 UTC
Quick note on this one; the original patch got applied to master, we need to revert that before evaluating this new one.

Also as Havoc said there's no unit tests.
Comment 7 Julien Isorce 2010-01-14 06:44:41 UTC
(In reply to comment #4)
> Created an attachment (id=22457) [details]
> Allow anonymous users (dbus 1.2.12)
> 
> dbus-daemon allows anonymous users if <allow_anonymous/> is set in the
> configuration file
>

There is only "+" in this last patch and all are in lastest git, right ?
Comment 8 Julien Isorce 2010-01-14 08:47:11 UTC
I have tested with lastet git.

Server on win32, ip 192.168.0.182 :

Part of the dbus-daemon configuration file:

<auth>ANONYMOUS</auth>
<allow_anonymous/>
<listen>tcp:host=192.168.0.182,port=12434</listen>

Client on linux, ip 192.168.0.32:

DBUS_SESSION_BUS_ADDRESS="tcp:host=192.168.0.182,port=12434" dbus-send --print-reply --dest="org.freedesktop.DBus" /org/freedesktop/DBus/Introspectable org.freedesktop.DBus.Introspectable.Introspect

So I can confirm that this patch is in git and works as expected.
Comment 9 Simon McVittie 2011-01-19 08:07:43 UTC
Peter: how does your patch differ from Dennis' patch, and do we still need to apply it?

Dennis: is there anything else to be done here?

I don't think this is a high priority for the core D-Bus maintainers right now - anonymous auth is a rather niche use of D-Bus compared with the system/session bus on mainstream systems - but I'd accept patches.
Comment 10 Cristian Oneț 2011-05-30 01:22:40 UTC
  if (included->allow_anonymous)
    parser->allow_anonymous = TRUE;

Should be added to merge_included in config-parser.c to allow the flag to be set from an included configuration file.
Comment 11 Chengwei Yang 2013-11-20 13:17:34 UTC
close it giving that anonymous auth was already supported.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.