[Pkg-utopia-maintainers] Bug#1021947: dbus-daemon: creates socket file in /tmp readable, writeable for everyone

Jörg-Volker Peetz jvpeetz at web.de
Mon Oct 17 20:45:19 BST 2022


Package: dbus-daemon
Version: 1.14.4-1
Severity: important

Dear Utopia Maintenance Team,

on my machine with sysv init, starting firefox through an ssh X tunnel
creates a socket file in /tmp, e.g., /tmp/dbus-TisQYrBfOV which is world
readable, writable, executable (o=rwx).
Is this intended? Isn't it a security problem?
The output of 'lsof | grep /tmp/dbus' says dbus-daemon is connected to
the socket.

Regards,
Jörg.


-- System Information:
Debian Release: bookworm/sid
   APT prefers testing
   APT policy: (600, 'testing'), (500, 'unstable'), (5, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.2 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C.utf8, LC_CTYPE=C.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages dbus-daemon depends on:
ii  dbus-bin                 1.14.4-1
ii  dbus-session-bus-common  1.14.4-1
ii  libapparmor1             3.0.7-1
ii  libaudit1                1:3.0.7-1.1
ii  libc6                    2.35-3
ii  libcap-ng0               0.8.3-1+b1
ii  libdbus-1-3              1.14.4-1
ii  libexpat1                2.4.9-1
ii  libselinux1              3.4-1+b2
ii  libsystemd0              251.6-1

dbus-daemon recommends no packages.

dbus-daemon suggests no packages.

-- no debconf information



More information about the Pkg-utopia-maintainers mailing list