https://bugzilla.novell.com/show_bug.cgi?id=486267 User georgmueller@gmx.net added comment https://bugzilla.novell.com/show_bug.cgi?id=486267#c42 --- Comment #42 from Georg Müller <georgmueller@gmx.net> 2009-03-23 10:34:01 MST --- (In reply to comment #41)
(In reply to comment #39)
Solution: Do not use deny rule in at_console, only in context=default and an allow rule for root. That is what I have done with my dbus changes. No more problems :)
This might open the security hole again.
Why? Rules are applied in the following order (from dbus-daemon man page): - all context="default" policies are applied - all group="connection's user's group" policies are applied in undefined order - all user="connection's auth user" policies are applied in undefined order - all at_console="true" policies are applied - all at_console="false" policies are applied - all context="mandatory" policies are applied So, if there is a deny rule in context="default" and no other rule that is matching (you are not root and do not get the allow), then nothing else happens. To minimize the security risk. a much more transparent configuration is very helpful. That means, checking one file instead of 2, 3 or 4 files helps here (since you see on one look what you allow/deny instead of cross-checking with other files). Couldn't we get rid of the client config files at all and define it in a generic way for all nm clients? For the NetoworkManagerUserSettings, I have done it with the nm-user-settings.conf. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.