Matthias Gerstner changed bug 1209338
What Removed Added
Status CONFIRMED IN_PROGRESS

Comment # 4 on bug 1209338 from 
I'm mostly finished with the review. So in the outset things look not too bad:

- the service runs as non-root as user _mumble-server and has no special
  privileges.
- the system wide config file is owned and controlled only by root.
- the code shows that the author(s) have some understanding of system
  programming and thus also some awareness of security topics.
- the code is a bit hard to read due to a lot of platform specific #ifdefs.
- there's a possibility to pass a mumble "superuser password" to the server
  via a command line parameter, which is unsafe, because the command line can
  be read by all other users in the system. This is only one option though,
  there's also an approach to pass it to mumble-server's stdin.
- SSL is used for the network communication. I did not look more closely into
  this aspect, since this bug is about the D-Bus component of the program.
- The D-Bus interface is not enabled by default and if it is enabled then it
  suggests running on the session bus instead of on the system bus.
- The D-Bus service component does not implement authorization checks. The
  provided methods allow retrieving a lot of data and also manipulating the
  runtime state of the server, partly directly operating on a SQL database
  backend.
- Due to the latter it is not really a good idea to run this service on the
  system bus. Any user in the system would be able to mess with mumble-server.

It turns out that the use case for running this D-Bus service on the system
bus is unclear. Even more so, the D-Bus configuration file will never work,
because it uses a wrong username. I have created an issue upstream to
understand better what the purpose of the system wide D-Bus service should be:

https://github.com/mumble-voip/mumble/issues/6098

At the moment my suggestion is *not* to whitelist this configuration, because
it is broken, seemingly unnecessary and if used it would be rather worrying
security wise.

You can continue packaging this update by simply deleting the D-Bus
configuration from the package.

You are receiving this mail because: