[Pkg-utopia-maintainers] Bug#914799: dbus: Privacy violations: Logs detailed commands and parameters
Simon McVittie
smcv at debian.org
Tue Nov 27 14:48:34 GMT 2018
On Tue, 27 Nov 2018 at 14:26:11 +0100, Helge Kreutzmann wrote:
> These commands and their parameters do not belong into the system log.
> These are private data. Of course, if the system administrator chooses
> to spy on a user, he can so so. But by default this should not be the
> case.
Please note that ordinary, unprivileged users can see the same information
in /proc, which is where dbus-daemon gets it (dbus-daemon --system runs
as an unprivileged uid that cannot see anything in /proc that ordinary
user accounts can't).
If you don't want other users of the system to see the filenames that
are acted on, you'd already need to take further action, for example
mounting /proc with the hidepid option, which would have the side-effect
of hiding the commands from dbus-daemon too.
The detailed system log is already considered sensitive information,
which is why only the adm group can read it: we can't know what will
end up there.
> 1) dbus-daemon does not log this information by default.
> As far as I can see, these messages are useless in normal
> operation. If debugging is required (or problems arise on a
> machine) then of course logging them could be re-enabled.
I can't keep everyone happy here: if I suppress the command name, then
I'll immediately get this bug report (but possibly phrased in terms of
"the maintainer of this freedesktop crap needs to die in a fire" if I'm
less lucky about who submits the bug):
Something is starting com.example.Foobard. The log message says
"requested by :1.23, process 123". This is not enough to know what
program tried to start com.example.Foobard.
or if the log message isn't present at all:
Something is silently starting com.example.Foobard and it took me
hours to find out that it was dbus-daemon. I never asked for this.
The other common source of command names and parameters in the messages
logged by dbus-daemon is when it rejects a message, in which case it
needs to indicate who sent the message.
smcv
More information about the Pkg-utopia-maintainers
mailing list