libdbus client should try "AUTH EXTERNAL\r\n" first
Submitted by Simon McVittie
Assigned to D-Bus Maintainers
While documenting how the EXTERNAL auth mechanism works (on Bug #104224), I found out that dbus-daemon has in fact always supported the empty string as an authorization identity. This means "I am whoever the kernel says I am", which is the behaviour we actually want.
This is clearly superior to what all practical D-Bus clients currently do, which is to send getuid() or geteuid(), so something like "I am uid 1000, please ask the kernel for confirmation". In particular, if the client is in a non-init uid namespace on Linux, then the uid it gets from geteuid() might not match what the dbus-daemon in the init namespace thinks its effective uid is.
One complication is that to interoperate with D-Bus server implementations whose authors didn't know this was meant to work (which I think includes GDBus), dbus-daemon needs to be prepared to do this:
C: AUTH EXTERNAL S: REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS C: AUTH EXTERNAL 31303030 S: OK 12345678123456781234567812345678
which has not traditionally been necessary (we'll only do each mechanism once).
Version: git master