Bug#914285: dbus: system bus logs repeated denials for session buses calling GetDynamicUsers() on systemd Manager lines

Wed Nov 21 20:20:16 GMT 2018

Am 21.11.18 um 18:03 schrieb Simon McVittie:

> Real solution:
> 
>> ===File /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf===
> ...
>> <busconfig>
> ...
>>         <policy context="default">
>>                 <deny send_destination="org.freedesktop.systemd1"/>
> 
> org.freedesktop.systemd-shim.conf should not have this Deny line. It's
> redundant with the implicit default-deny in system.conf, and is going to
> break the file installed by the real systemd.
> 
> systemd should perhaps mitigate this bug for buster by moving its bus
> configuration from /usr/share/dbus-1 back into /etc/dbus-1, and choosing
> a filename that is higher precedence than systemd-shim's. (Sorry, I don't
> immediately know whether that means earlier or later in ASCII order.)

The problem is, this file
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf was removed from
systemd-shim a long time ago

systemd-shim (8-4) unstable; urgency=medium

  * Drop the dbus policy entirely from this package, as discussed in bug
    #765101; since the security policy should always be in sync with
    systemd's, and since the systemd package ships both logind (the consumer
    of systemd-shim) and this dbus policy, there's no reason to ship this
    separately rather than relying on the systemd copy.

 -- Steve Langasek <vorlon at debian.org>  Wed, 22 Oct 2014 04:29:44 +0000

I'm not sure, why Francesco still had this file around, as there is a
.maintscript file in systemd-shim which was supposed to clean that up:

$ cat debian/systemd-shim.maintscript
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd1.conf 6-2
systemd-shim
rm_conffile /etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf 8-4
systemd-shim

So I can only guess, that Francesco had removed, but not purged the
package before the 8-4 update.

Changing systemd to move the dbus policy file back to /etc/ seems like a
workaround, which we could never get rid off, as there might always be
users who removed but not purged the package before 8-4.

I guess the only sensible thing we can do at this point if we let the
systemd package itself clean up this mess, and remove
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf
either via systemd.maintscript or just a simple rm -f in postinst.

I'm aware this is not 100% policy compliant, but I can't think of a
better solution atm.

WDYT?

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20181121/d74e3872/attachment.sig>