[Pkg-utopia-maintainers] Bug#510639: hal.conf.in needs augmenting for new D-Bus

Simon McVittie smcv at debian.org
Sat Jan 3 23:44:23 UTC 2009


Package: hal
Version: 0.5.11-6
Severity: serious
Justification: blocker for #503532 (CVE-2008-4311)
Tags: upstream
User: pkg-utopia-maintainers at lists.alioth.debian.org
Usertags: CVE-2008-4311

hal installs a D-Bus system policy file which doesn't allow
introspection, or the KillSwitch method used by NetworkManager. These
used to be allowed accidentally by a dbus-daemon bug, but with the
dbus-daemon currently in experimental (which is now targeted for lenny)
they will be denied.

https://bugs.freedesktop.org/show_bug.cgi?id=18985 provides a partial,
unreviewed patch. Some quick notes I made while rummaging through the
hal source tree:

org.freedesktop.Hal.SingletonAddon - emits methods (!?) which libhal receives

rfkill: org.freedesktop.Hal.Device.KillSwitch has SetPower/GetPower

dockstation: org.freedesktop.Hal.Device.DockStation has Undock

org.freedesktop.Hal.Device.Storage has CloseTray, Eject

org.freedesktop.Hal.Device.SystemPowerManagement has Suspend etc.

org.freedesktop.Hal.Device.WakeOnLan has GetEnabled, SetEnabled

LaptopPanel already covered

CPUFreq?

KeyboarBacklight?

LightSensor?

Storage.Removable?

AccessControl?

I don't know which of these should allow privileged or unprivileged
access. A conservative version would be to let root access them.

Regards from the Cambridge BSP,
    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20090103/9243a6d3/attachment.pgp 


More information about the Pkg-utopia-maintainers mailing list