[Pkg-utopia-maintainers] Bug#914799: dbus: Privacy violations: Logs detailed commands and parameters

Helge Kreutzmann debian at helgefjell.de
Tue Nov 27 13:26:11 GMT 2018 

Package: dbus
Version: 1.12.10-1
Severity: important
Tags: security

Currently, dbus logs commands and their parameters, e.g. from my
system (parts masked out with ##)
Nov  3 13:57:16 samd dbus-daemon[2402]: [session uid=1000 pid=2400] Activating service name='org.a11y.Bus' requested by ':1.3' (uid=1000 pid=9366 comm="java ###")
Nov 13 07:30:37 samd dbus-daemon[577]: [system] Activating via systemd: service name='org.bluez' unit='dbus-org.bluez.service' requested by ':1.32' (uid=1001 pid=3411 comm="/usr/lib/chromium/chromium --show-component-extens")
Nov 18 12:57:23 samd dbus-daemon[2879]: [session uid=1000 pid=2877] Activating service name='org.kde.ActivityManager' requested by ':1.6' (uid=1000 pid=3231 comm="okular ####")
Nov 21 09:45:13 samd at-spi-bus-launcher[3054]: dbus-daemon[3170]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1001 pid=3098 comm="/usr/bin/kuiserver ") 
Nov 22 07:51:39 samd dbus-daemon[2759]: [session uid=1001 pid=2759] Activating via systemd: service name='org.gnome.evince.Daemon' unit='org.gnome.Evince.service' requested by ':1.84' (uid=1001 pid=4154 comm="/usr/bin/evince ####")

The string after service name= varies, typical parameters are
org.a11y.Bus, org.kde.ActivityManager, ca.desrt.dconf,
org.kde.kglobalaccel

Parameter often include file names, e.g. for okular, evince, …

These commands and their parameters do not belong into the system log.
These are private data. Of course, if the system administrator chooses
to spy on a user, he can so so. But by default this should not be the
case.

Consider the typical szenario, where dozens (hundreds) of systems are
operated (like at my job) on Linux systems. The logs might (should) be
aggregated to some server and analysed for malfunction. If this
unnecessary private data is stored there as well, it is a "nice"
target for people wanting to observer the users, very unlikely to get
noticed, not even necessary to leave traces on the machine of the
user.

Additionally:
In some jurisdictions, processing of private data is heavily
regulated, e.g. in Europe with the GDPR. Avoiding logging those
private data makes it much easier for system administrators to be
compliant as well. Otherwiese they would need fancy filters (maybe
logcheck would suffice?) to avoid those data to be stored.

I tagged this security, as I'm not sure if privacy related issues are
treated as security issues as well and in more sensitive environemnts
the need-to-know principle is implemented, meaning that sensitive
information like file names processed should by default not be
disclosed as well, doing so might be security relevant.

I can see the following possible actions, in the order of preference:

1) dbus-daemon does not log this information by default.
   As far as I can see, these messages are useless in normal
   operation. If debugging is required (or problems arise on a
   machine) then of course logging them could be re-enabled.

2) dbus-daemon logs much less by default.
   This would imply at least the removal of the "comm" part, possibly 
   unless errors occur. There should be a clear description of how to
   remove the logging altogether as well. 

3) Filter sensitive information out of the logging stream.
   Using tools like "logcheck" to filter out those messages. However,
   this can only be a band aid, as administrators would need to
   install additional software, so a good description should be placed
   at a suitable position, and the tool (e.g. logcheck) should be
   recommended by dbus by default, to ensure good coverage.

I'm not sure if logcheck is the right tool, as it by default sends
e-mails an leaves the logs otherwise unaltered, so if centralized
processing happens, logchecking does not interfere.


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dbus depends on:
ii  adduser       3.118
ii  libapparmor1  2.13.1-3+b1
ii  libaudit1     1:2.8.4-2
ii  libc6         2.27-8
ii  libcap-ng0    0.7.9-1
ii  libdbus-1-3   1.12.10-1
ii  libexpat1     2.2.6-1
ii  libselinux1   2.8-1+b1
ii  libsystemd0   239-13
ii  lsb-base      9.20170808

dbus recommends no packages.

Versions of packages dbus suggests:
ii  dbus-user-session [default-dbus-session-bus]  1.12.10-1
ii  dbus-x11 [dbus-session-bus]                   1.12.10-1

Versions of packages dbus is related to:
ii  dbus-x11      1.12.10-1
ii  systemd       239-13
ii  systemd-sysv  239-13

-- no debconf information

-- 
      Dr. Helge Kreutzmann                     debian at helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181127/78f6dc7d/attachment.sig>

More information about the Pkg-utopia-maintainers mailing list