Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
D
dbus
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 240
    • Issues 240
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 28
    • Merge Requests 28
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • dbus
  • dbus
  • Issues
  • #195

Closed
Open
Opened Jan 11, 2018 by Bugzilla Migration User@bugzilla-migration

libdbus client should try "AUTH EXTERNAL\r\n" first

Submitted by Simon McVittie

Assigned to D-Bus Maintainers

Link to original bug (#104589)

Description

While documenting how the EXTERNAL auth mechanism works (on Bug #104224), I found out that dbus-daemon has in fact always supported the empty string as an authorization identity. This means "I am whoever the kernel says I am", which is the behaviour we actually want.

This is clearly superior to what all practical D-Bus clients currently do, which is to send getuid() or geteuid(), so something like "I am uid 1000, please ask the kernel for confirmation". In particular, if the client is in a non-init uid namespace on Linux, then the uid it gets from geteuid() might not match what the dbus-daemon in the init namespace thinks its effective uid is.

One complication is that to interoperate with D-Bus server implementations whose authors didn't know this was meant to work (which I think includes GDBus), dbus-daemon needs to be prepared to do this:

C: AUTH EXTERNAL
S: REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS
C: AUTH EXTERNAL 31303030
S: OK 12345678123456781234567812345678

which has not traditionally been necessary (we'll only do each mechanism once).

Version: git master

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: dbus/dbus#195