[Pkg-utopia-maintainers] Bug#589979: Bug#589979: dbus-daemon-launch-helper needs to be a+x to work

Simon McVittie smcv at debian.org
Tue Jul 27 18:41:26 UTC 2010 

On Fri, 23 Jul 2010 at 11:36:00 -0400, Christian Weeks wrote:
> I have to manually, on each upgrade of dbus, do the chmod to add o+x,
> otherwise DBus fails to launch stuff. (This is probably a big security
> hole which is why it's not set that way but..)

The intended security model is:

* dbus-daemon runs as uid messagebus, gid messagebus
* group messagebus has no other members
* dbus-daemon-launch-helper is executable by messagebus, only

Is your messagebus *group* in LDAP, or in /etc/group, or both?

What is the messagebus group's numeric GID?

What groups does the system dbus-daemon have? You can get this with:

cat /proc/$its_pid/status

The intended setup is something like this: on my system, user 103 is
the messagebus user, group 104 is the messagebus group, and the system bus is
process 2354.

smcv at reptile% grep messagebus /etc/passwd
messagebus:x:103:104::/var/run/dbus:/bin/false
smcv at reptile% grep messagebus /etc/group
messagebus:x:104:
smcv at reptile% pgrep dbus-daemon | xargs ps
  PID TTY      STAT   TIME COMMAND
   2354 ?        Ss     0:14 /usr/bin/dbus-daemon --system
...
smcv at reptile% egrep 'Uid|Gid|Group' /proc/2354/status
Uid:	103	103	103	103
Gid:	104	104	104	104
Groups:	
smcv at reptile% ls -ln /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-- 1 0 104 45936 Jul 17 14:31 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
             ^  ^
	     |  \-- this is the messagebus group
	     \-- this is the root user

> Fine, however, I don't understand how I have misconfigured, if I have.
> It was a working setup for the prior three years and only broke when the
> new dbus landed about 6 months ago (The upgrade from dbus 1.2.16-2 to
> 1.2.20-2 is where I noticed the problem start occuring).

That might well coincide with the introduction of dbus-daemon-launch-helper
(system bus activation). Before that, system services like Avahi had to run
as a separate daemon (as root), then connect to the system bus.

    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20100727/92f9e606/attachment.pgp>

More information about the Pkg-utopia-maintainers mailing list