https://bugzilla.novell.com/show_bug.cgi?id=428963
User hpj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=428963#c61
--- Comment #61 from Hans Petter Jansson
(In reply to comment #56 from Hans Petter Jansson)
Re. wrong: User may want to run programs running as root in his session. We've had plenty of bugs on that previously.
We never had this reports for 11.0 or earlier. From my point of view I can assure there wasn't a change in D-Bus itself which would cause those *new* defects. We have to look somewhere else.
Well, we've had plenty of bugs on programs running as root in the user's session missing access to elements of said session, like the X display or the session manager.
The current patch for the session.conf hides the real problem. That is obviously not what we want.
The real bug is, that the application launched via gnomesu is trying to access the session owner's session bus.
The question is: Why does it want to access it?
The session bus is an important IPC mechanism for programs in the session. We can't predict all the ways in which it will be used (it looks like in this particular case it's being used to access the user's configuration database).
I'm in favor of un-setting DBUS_SESSION_BUS_ADDRESS on changing the user with gnomesu. By running anything which changes your identity (su $USER, gnomesu $APP, etc.) you're simply out of bounds of the current session.
It's not that clear-cut. The user needs to run programs as root on its current display, and the display is part of the session. The programs also need to talk to the session manager, e.g. so they can be told to quit when the session closes. There are other requirements, and I think the move to D-Bus as the session IPC mechanism (away from mechanisms like X display properties) will continue. The ideal fix here would be to adopt a security model that doesn't require you to become a different user in order to accomplish vital tasks - I'd be the first to admit that the "root" security model is broken - but insofar as we have to work within such a security model, we have to take a pragmatic approach.
Re. dangerous: I don't see how exactly this would happen. If dbus-launch exposes session auth details to everyone, wouldn't that be a bug in D-Bus?
IIRC this was being done on purpose. I'd have to dig in the list archives to find out more.
So wouldn't that mean that you can already hijack anyone's session bus? That doesn't stand to reason in my mind. I'm fairly certain a user's session bus is supposed to be secure from other users on the host :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.