[Pkg-utopia-maintainers] Bug#589979: Bug#589979: dbus-daemon-launch-helper needs to be a+x to work
Simon McVittie
smcv at debian.org
Tue Jul 27 18:41:26 UTC 2010
On Fri, 23 Jul 2010 at 11:36:00 -0400, Christian Weeks wrote:
> I have to manually, on each upgrade of dbus, do the chmod to add o+x,
> otherwise DBus fails to launch stuff. (This is probably a big security
> hole which is why it's not set that way but..)
The intended security model is:
* dbus-daemon runs as uid messagebus, gid messagebus
* group messagebus has no other members
* dbus-daemon-launch-helper is executable by messagebus, only
Is your messagebus *group* in LDAP, or in /etc/group, or both?
What is the messagebus group's numeric GID?
What groups does the system dbus-daemon have? You can get this with:
cat /proc/$its_pid/status
The intended setup is something like this: on my system, user 103 is
the messagebus user, group 104 is the messagebus group, and the system bus is
process 2354.
smcv at reptile% grep messagebus /etc/passwd
messagebus:x:103:104::/var/run/dbus:/bin/false
smcv at reptile% grep messagebus /etc/group
messagebus:x:104:
smcv at reptile% pgrep dbus-daemon | xargs ps
PID TTY STAT TIME COMMAND
2354 ? Ss 0:14 /usr/bin/dbus-daemon --system
...
smcv at reptile% egrep 'Uid|Gid|Group' /proc/2354/status
Uid: 103 103 103 103
Gid: 104 104 104 104
Groups:
smcv at reptile% ls -ln /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-- 1 0 104 45936 Jul 17 14:31 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
^ ^
| \-- this is the messagebus group
\-- this is the root user
> Fine, however, I don't understand how I have misconfigured, if I have.
> It was a working setup for the prior three years and only broke when the
> new dbus landed about 6 months ago (The upgrade from dbus 1.2.16-2 to
> 1.2.20-2 is where I noticed the problem start occuring).
That might well coincide with the introduction of dbus-daemon-launch-helper
(system bus activation). Before that, system services like Avahi had to run
as a separate daemon (as root), then connect to the system bus.
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20100727/92f9e606/attachment.pgp>
More information about the Pkg-utopia-maintainers
mailing list