Skip to content
  • Simon McVittie's avatar
    Security hardening: force EXTERNAL auth in session.conf on Unix · 084977cf
    Simon McVittie authored
    DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e.
    indirectly dependent on high-quality pseudo-random numbers
    whereas EXTERNAL authentication (credentials-passing)
    is mediated by the kernel and cannot be faked.
    
    On Windows, EXTERNAL authentication is not available,
    so we continue to use the hard-coded default (all
    authentication mechanisms are tried).
    
    Users of tcp: or nonce-tcp: on Unix will have to comment
    this out, but they would have had to use a special
    configuration anyway (to set the listening address),
    and the tcp: and nonce-tcp: transports are inherently
    insecure unless special steps are taken to have them
    restricted to a VPN or SSH tunnelling.
    
    Users of obscure Unix platforms (those that trigger
    the warning "Socket credentials not supported on this Unix OS"
    when compiling dbus-sysdeps-unix.c) might also have to
    comment this out, or preferably provide a tested patch
    to enable credentials-passing on that OS.
    
    Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414
    
    
    Reviewed-by: default avatarRalf Habacker <ralf.habacker@freenet.de>
    084977cf