Bug 2436 - session bus does not restrict connections base on uid
Summary: session bus does not restrict connections base on uid
Alias: None
Product: dbus
Classification: Unclassified
Component: core (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: high major
Assignee: Havoc Pennington
QA Contact:
Depends on:
Reported: 2005-01-31 15:01 UTC by Daniel Reed
Modified: 2006-08-01 10:26 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

possible fix (1.92 KB, patch)
2005-01-31 15:51 UTC, Havoc Pennington
Details | Splinter Review
better fix (1.89 KB, patch)
2005-01-31 15:59 UTC, Havoc Pennington
Details | Splinter Review

Description Daniel Reed 2005-01-31 15:01:53 UTC
If I login as root and create a session bus, then login as another user, I am
able to use dbus-send to connect to root's session bus.

To reproduce:
Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the
Run dbus-monitor --session

Login as another user on a console, run:
env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send
--dest=org.freedesktop.DBus --type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListServices

The dbus-send gives a message about not being able to print the return value,
and the dbus-monitor on root's session bus shows the ListServices request coming
Comment 1 Havoc Pennington 2005-01-31 15:51:03 UTC
Created attachment 1802 [details] [review]
possible fix
Comment 2 Havoc Pennington 2005-01-31 15:52:17 UTC
s/=/==/ in that patch...
Comment 3 Havoc Pennington 2005-01-31 15:59:12 UTC
Created attachment 1803 [details] [review]
better fix


After discussion we decided allowing root was bad, you can always put
<allow user="root"/> in the conf file if you want.
Comment 4 Mark J Cox 2005-02-01 05:41:02 UTC
I've assigned CAN-2005-0201 to this issue.
Comment 5 John (J5) Palmieri 2005-05-02 15:35:08 UTC
This was fixed some time ago
Comment 6 Daniel Stone 2005-08-29 01:24:41 UTC

This patch only ever got applied to the 0.2x branch, which means that 0.3x is
still vulnerable.  Recommend applying this to HEAD and releasing 0.36.2 with no
further changes immediately.
Comment 7 Daniel Stone 2005-08-29 01:39:50 UTC
restricting to newly-formed dbus security group
Comment 8 Daniel Stone 2005-08-29 01:40:16 UTC
j5 -- can we do 0.36.2?
Comment 9 John (J5) Palmieri 2005-08-29 13:06:23 UTC
Fix is in CVS on the DBUS_0_36_2 and HEAD branches and released at http://
Comment 10 John (J5) Palmieri 2005-08-29 15:14:28 UTC

Opening up bug since it is public

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.