https://bugzilla.novell.com/show_bug.cgi?id=428963 User thoenig@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=428963#c57 --- Comment #57 from Timo Hoenig <thoenig@novell.com> 2008-10-28 01:36:21 MDT --- (In reply to comment #56 from Hans Petter Jansson)
Re. wrong: User may want to run programs running as root in his session. We've had plenty of bugs on that previously.
We never had this reports for 11.0 or earlier. From my point of view I can assure there wasn't a change in D-Bus itself which would cause those *new* defects. We have to look somewhere else. The current patch for the session.conf hides the real problem. That is obviously not what we want. The real bug is, that the application launched via gnomesu is trying to access the session owner's session bus. The question is: Why does it want to access it? I'm in favor of un-setting DBUS_SESSION_BUS_ADDRESS on changing the user with gnomesu. By running anything which changes your identity (su $USER, gnomesu $APP, etc.) you're simply out of bounds of the current session.
Re. dangerous: I don't see how exactly this would happen. If dbus-launch exposes session auth details to everyone, wouldn't that be a bug in D-Bus?
IIRC this was being done on purpose. I'd have to dig in the list archives to find out more. But as we're currently hiding the real culprit with the patch for the session bus this doesn't matter anyway.
Like jpr, I also don't think this is a blocker. Lowering.
Judge it as you want, as soon as I drop the patch for the session bus from D-Bus -- which will happen for Beta 5 if there is no plausible rationale why this is the correct fix -- we're back at zero. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.