BIND will completely drop D-BUS dynamic forwarders table support
Dan Williams
dcbw at redhat.com
Sat Dec 8 00:11:06 UTC 2007
On Sat, 2007-12-08 at 01:05 +0100, Olivier Galibert wrote:
> On Fri, Dec 07, 2007 at 01:28:24PM -0500, David Zeuthen wrote:
> >
> > On Fri, 2007-12-07 at 12:53 -0500, Dan Williams wrote:
> > > I'm perfectly fine with pushing out the information in the D-Bus signal.
> >
> > There may be security risks in doing this; a malicious unprivileged
> > process can easily listen for these things and abuse the information.
>
> A user process can listen in on root-root dbus communications?
Anything that can get on the bus gets signals. And most anything can
get on the bus, by design, otherwise D-Bus would be pretty useless.
What you _can't_ do most of the time is claim a bus name for yourself
and provide a service, unless you're specifically authorized to do so by
a config file in /etc/dbus-1/system.d or the session bus config dir.
And services can specify what can and cannot call their _methods_, but
signals are broadcast and readable by everyone by design.
The most security paranoid model would have NM pushing the config
information to the caching nameserver directly with method calls,
because those aren't broadcast on the bus like signals are. But that
removes a lot of utility and is a lot more code. It may be that we just
have to audit the list of options and whitelist or blacklist certain
things from being exposed over the D-Bus interface.
Dan
More information about the fedora-devel-list
mailing list