Commit 2513f84d authored by Simon McVittie's avatar Simon McVittie

spec, dbus-daemon(1): Say that non-local TCP is insecure

With some fairly reasonable threat models (active or passive local
attacker able to eavesdrop on the network link, confidential
information being transferred via D-Bus), secure authentication is
insufficient to make this transport secure: it does not protect
confidentiality or integrity either.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker's avatarRalf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
parent 17e28cb1
......@@ -148,8 +148,10 @@ bus.</para>
<varlistentry>
<term><option>--address[=ADDRESS]</option></term>
<listitem>
<para>Set the address to listen on. This option overrides the address
configured in the configuration file.</para>
<para>Set the address to listen on. This option overrides the address
configured in the configuration file via the
<literal>&lt;listen&gt;</literal> directive.
See the documentation of that directive for more details.</para>
</listitem>
</varlistentry>
<varlistentry>
......@@ -395,6 +397,24 @@ effect unless the ANONYMOUS mechanism has also been enabled using the
address is in the standard D-Bus format that contains
a transport name plus possible parameters/options.</para>
<para>On platforms other than Windows, <literal>unix</literal>-based
transports (<literal>unix</literal>, <literal>systemd</literal>,
<literal>launchd</literal>) are the default for both the well-known
system bus and the well-known session bus, and are strongly
recommended.</para>
<para>
On Windows, <literal>unix</literal>-based transports are not available,
so TCP-based transports must be used.
Similar to remote X11, the <literal>tcp</literal> and
<literal>nonce-tcp</literal> transports have no integrity or
confidentiality protection, so they should normally only be
used across the local loopback interface, for example using an
address like <literal>tcp:host=127.0.0.1</literal> or
<literal>nonce-tcp:host=localhost</literal>. In particular,
configuring the well-known system bus or the well-known session
bus to listen on a non-loopback TCP address is insecure.
</para>
<para>Example: &lt;listen&gt;unix:path=/tmp/foo&lt;/listen&gt;</para>
......
......@@ -3717,8 +3717,13 @@
located on the same or different hosts.
</para>
<para>
Using tcp transport without any additional secure authentification mechanismus
over a network is unsecure.
Similar to remote X11, the TCP transport has no integrity or
confidentiality protection, so it should normally only be
used across the local loopback interface, for example using an
address like <literal>tcp:host=127.0.0.1</literal> or
<literal>tcp:host=localhost</literal>. In particular,
configuring the well-known system bus or the well-known session
bus to listen on a non-loopback TCP address is insecure.
</para>
<para>
On Windows and most Unix platforms, the TCP stack is unable to transfer
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment