[Bug 1208394] AUDIT-0: ruby3.1-rubygem-d-installer: follow-up audit of D-Bus setup (separate D-Bus design)

https://bugzilla.suse.com/show_bug.cgi?id=1208394 https://bugzilla.suse.com/show_bug.cgi?id=1208394#c8 --- Comment #8 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- (In reply to Matthias Gerstner from comment #7) Hi Matthias, First of all, D-Installer has been renamed to Agama[1]. But they are the same thing code-wise.
So from your description in comment 4 it sounds like the addition a D-Bus instance is kind of private to the two containers for backend and the web components. Is that true? Can the UNIX domain socket be accessed from the host system otherwise?
Yes, it is a private D-Bus instance and we have limited access to just the root user: https://github.com/openSUSE/agama/blob/master/service/share/dbus.conf.
Of course the interface of d-installer can be accessed indirectly via the web component, I suppose. Will this listen on localhost or also on remotely accessible network interfaces by default?
It uses cockpit infrastructure for that, so it is available remotely too (not only in localhost). But if you access it remotely, it asks for a user/password. The problem is that, at this point, the user/password is a known one. Thinking about that, I guess we should ask the user to explicitly enable the remote access (and offer a way to set the root password at boot time).
The separate D-Bus instance only shared by the two containers sounds like it improves the isolation on D-Bus level so I have no problem with that. Although the use of containers on initrd level sounds pretty complex, design wise.
Agama does not rely on containers at all. You can run Agama in two different ways: * Using our Live media[2]. In that case, it does not rely on containers, although it still uses a private D-Bus instance. * On top of Iguana[3], running a container for the service and another for the web interface. Actually, we introduced the private D-Bus instance for this scenario.
What I meant by asking if you are blocked by us is whether you are hitting any whitelisting restrictions that we need to fix? But I don't think so.
No, we are not blocked, everything is working fine. Thanks for having a look. I will keep you informed if we introduced any relevant change. Regards, Imo [1] https://github.com/openSUSE/agama/pull/509 [2] https://build.opensuse.org/package/show/YaST:Head:Agama/agama-live [3] https://github.com/openSUSE/iguana -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com