Commit 9bd0256f authored by Simon McVittie's avatar Simon McVittie

dbus-daemon(1): Say that non-local TCP is insecure

With some fairly reasonable threat models (active or passive local
attacker able to eavesdrop on the network link, confidential
information being transferred via D-Bus), secure authentication is
insufficient to make this transport secure: it does not protect
confidentiality or integrity either.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker's avatarRalf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
(cherry picked from commit 2513f84d)
parent 6ea8268c
......@@ -148,8 +148,10 @@ bus.</para>
<varlistentry>
<term><option>--address[=ADDRESS]</option></term>
<listitem>
<para>Set the address to listen on. This option overrides the address
configured in the configuration file.</para>
<para>Set the address to listen on. This option overrides the address
configured in the configuration file via the
<literal>&lt;listen&gt;</literal> directive.
See the documentation of that directive for more details.</para>
</listitem>
</varlistentry>
<varlistentry>
......@@ -395,6 +397,24 @@ effect unless the ANONYMOUS mechanism has also been enabled using the
address is in the standard D-Bus format that contains
a transport name plus possible parameters/options.</para>
<para>On platforms other than Windows, <literal>unix</literal>-based
transports (<literal>unix</literal>, <literal>systemd</literal>,
<literal>launchd</literal>) are the default for both the well-known
system bus and the well-known session bus, and are strongly
recommended.</para>
<para>
On Windows, <literal>unix</literal>-based transports are not available,
so TCP-based transports must be used.
Similar to remote X11, the <literal>tcp</literal> and
<literal>nonce-tcp</literal> transports have no integrity or
confidentiality protection, so they should normally only be
used across the local loopback interface, for example using an
address like <literal>tcp:host=127.0.0.1</literal> or
<literal>nonce-tcp:host=localhost</literal>. In particular,
configuring the well-known system bus or the well-known session
bus to listen on a non-loopback TCP address is insecure.
</para>
<para>Example: &lt;listen&gt;unix:path=/tmp/foo&lt;/listen&gt;</para>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment