[Pkg-utopia-maintainers] Bug#914799: dbus: Privacy violations: Logs detailed commands and parameters

Tue Nov 27 15:41:45 GMT 2018

Hello Simon,
On Tue, Nov 27, 2018 at 02:48:34PM +0000, Simon McVittie wrote:
> On Tue, 27 Nov 2018 at 14:26:11 +0100, Helge Kreutzmann wrote:
> > These commands and their parameters do not belong into the system log.
> > These are private data. Of course, if the system administrator chooses
> > to spy on a user, he can so so. But by default this should not be the
> > case.
> 
> Please note that ordinary, unprivileged users can see the same information
> in /proc, which is where dbus-daemon gets it (dbus-daemon --system runs
> as an unprivileged uid that cannot see anything in /proc that ordinary
> user accounts can't).

For the running system this is not a problem.

> If you don't want other users of the system to see the filenames that
> are acted on, you'd already need to take further action, for example
> mounting /proc with the hidepid option, which would have the side-effect
> of hiding the commands from dbus-daemon too.
> 
> The detailed system log is already considered sensitive information,
> which is why only the adm group can read it: we can't know what will
> end up there.

But each program should set sensible defaults for its logging. To
little is of no use but too detailed (by default) is also not correct.

> > 1) dbus-daemon does not log this information by default.
> >    As far as I can see, these messages are useless in normal
> >    operation. If debugging is required (or problems arise on a
> >    machine) then of course logging them could be re-enabled.
> 
> I can't keep everyone happy here: if I suppress the command name, then
> I'll immediately get this bug report (but possibly phrased in terms of
> "the maintainer of this freedesktop crap needs to die in a fire" if I'm
> less lucky about who submits the bug):

Who needs the details should of course easily be able to turn it on.
I'm not considering taking away options, it is the *default* I'm
discussing. Nowadays it is called "privacy by default" / "security by
default". A dbus developer of course will most likely change it.

>     Something is starting com.example.Foobard. The log message says
>     "requested by :1.23, process 123". This is not enough to know what
>     program tried to start com.example.Foobard.
> 
> or if the log message isn't present at all:
> 
>     Something is silently starting com.example.Foobard and it took me
>     hours to find out that it was dbus-daemon. I never asked for this.

Sorry, this I can't follow at all. I'm using Linux for ages, having
strace, pstree, and such be used if needed be. And looking at the very
complex system of processes running nowadays, are there really a
significant amount of people asking these questions while at the same
time not beeing able to turn on a simple configuration option?

> The other common source of command names and parameters in the messages
> logged by dbus-daemon is when it rejects a message, in which case it
> needs to indicate who sent the message.

I agree for the error case, there the system needs to be more verbose.
Agains, silencing it in the error case is another discussion (which
I'm not advocating), people who need this can surely configure the
system appropriately.

Greetings

          Helge

-- 
      Dr. Helge Kreutzmann                     debian at helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181127/dedfd434/attachment-0001.sig>