DBusTube access control is under-specified
Submitted by Simon McVittie
Assigned to Simon McVittie
Description
+++ This bug was initially created as a clone of Bug #28366 +++
See Bug #28366, particularly my comments 23, 24:
I don't think all Socket_Access_Control values really fit on a (new-style) D-Bus tube - we wrote the wording for stream tubes, so they'll need re-purposing for D-Bus tubes. DBusTube is under-specified, basically.
D-Bus connections always start with a '\0' with semantics similar to the Socket_Access_Control_Credentials byte - that's exactly where I got the idea for S_A_C_C from.
I think the values for S_A_C that make sense for D-Bus tubes are:
-
Localhost: any local user can connect to the CM. I'd re-interpret this as "use dbus_connection_set_unix_user_function() and dbus_connection_set_windows_user_function() to set a function that allows everyone".
-
Credentials: for D-Bus I'd either re-interpret this as "use the default D-Bus auth handshake as used for the session bus, which only allows the same uid; omit the extra byte", or deprecate it for D-Bus tubes (it's fine to use on stream tubes) and introduce a new S_A_C_DBus_Same_User which is explicitly "use the normal D-Bus mechanisms to determine that it's the same user".
Version: git master