with commit http://cgit.freedesktop.org/geoclue/commit/?id=7c3dc2420042364f530e4201eb84c913b48dece8 the dbus service was moved from the session bus to system bus, resulting in a binary now running as fully privileged user (which is also emphasized by a later commit, explicitly specifying User=root in the .service file). What's the rationale behind this? Despite carefully taking care, this means that any exploit current and future (not that I'm currently aware of any) have full system access; even though on first sight, I fail to see why this would be a requirement for this service. These are valid concerns raised as well by the openSUSE Security team: https://bugzilla.novell.com/show_bug.cgi?id=838360 If no explicit reason exists to run privileged, it is strongly advised NOT to do so.
(In reply to comment #0) > with commit > http://cgit.freedesktop.org/geoclue/commit/ > ?id=7c3dc2420042364f530e4201eb84c913b48dece8 the dbus service was moved from > the session bus to system bus, resulting in a binary now running as fully > privileged user (which is also emphasized by a later commit, explicitly > specifying User=root in the .service file). > > What's the rationale behind this? 1) It shouldn't be a session service because a normal user would have access to it, and the service needs access to hardware. This is clearly incompatible 2) The D-Bus service should run as an unprivileged system user, not as root 3) ModemManager should disable access to the location interface for any users but the unprivileged system user geoclue is running as. gypsy has autotools code to do that sort of thing.
Created attachment 85204 [details] [review] Attempt: allow to specify the user to run as during build / configure time. I tried to come up with a patch that allows to specify the user we run as during configure time (defaulting to root, to not change the existing defaults just yet).
Comment on attachment 85204 [details] [review] Attempt: allow to specify the user to run as during build / configure time. Review of attachment 85204 [details] [review]: ----------------------------------------------------------------- Otherwise looks good to me. Bastien? ::: data/Makefile.am @@ -2,5 @@ > -service_in_files = org.freedesktop.GeoClue2.service.in > -service_DATA = $(service_in_files:.service.in=.service) > - > -$(service_DATA): $(service_in_files) Makefile > - @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ This change seems unrelated. Please put it in a separate patch with justification in the commit log.
(In reply to comment #3) > Comment on attachment 85204 [details] [review] [review] > Attempt: allow to specify the user to run as during build / configure time. > > Review of attachment 85204 [details] [review] [review]: > ----------------------------------------------------------------- > > Otherwise looks good to me. > > Bastien? > > ::: data/Makefile.am > @@ -2,5 @@ > > -service_in_files = org.freedesktop.GeoClue2.service.in > > -service_DATA = $(service_in_files:.service.in=.service) > > - > > -$(service_DATA): $(service_in_files) Makefile > > - @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ > > This change seems unrelated. Please put it in a separate patch with > justification in the commit log. It's not unrelated... org.freedesktop.GeoClue2.service is now created by configure, no longer by 'sed' magic during make (needed, as we also inject the user in there).
Pushed a modified version of this patch. Thanks!
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.