Your message dated Mon, 17 Oct 2022 21:11:19 +0100 with message-id <Y02258Xzp/L/[email protected]> and subject line Re: Bug#1021947: dbus-daemon: creates socket file in /tmp readable, writeable for everyone has caused the Debian Bug report #1021947, regarding dbus-daemon: creates socket file in /tmp readable, writeable for everyone to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1021947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021947 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dbus-daemon Version: 1.14.4-1 Severity: important Dear Utopia Maintenance Team, on my machine with sysv init, starting firefox through an ssh X tunnel creates a socket file in /tmp, e.g., /tmp/dbus-TisQYrBfOV which is world readable, writable, executable (o=rwx). Is this intended? Isn't it a security problem? The output of 'lsof | grep /tmp/dbus' says dbus-daemon is connected to the socket. Regards, Jörg. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (600, 'testing'), (500, 'unstable'), (5, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.0.2 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=C.utf8, LC_CTYPE=C.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages dbus-daemon depends on: ii dbus-bin 1.14.4-1 ii dbus-session-bus-common 1.14.4-1 ii libapparmor1 3.0.7-1 ii libaudit1 1:3.0.7-1.1 ii libc6 2.35-3 ii libcap-ng0 0.8.3-1+b1 ii libdbus-1-3 1.14.4-1 ii libexpat1 2.4.9-1 ii libselinux1 3.4-1+b2 ii libsystemd0 251.6-1 dbus-daemon recommends no packages. dbus-daemon suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---On Mon, 17 Oct 2022 at 21:45:19 +0200, Jörg-Volker Peetz wrote: > on my machine with sysv init, starting firefox through an ssh X tunnel > creates a socket file in /tmp, e.g., /tmp/dbus-TisQYrBfOV which is world > readable, writable, executable (o=rwx). > Is this intended? Yes, this is as intended. Older versions of dbus-daemon created an equivalent socket in the "abstract" AF_UNIX namespace, which you can't directly see in the filesystem, but the same processes could connect to it. (Actually, the reason it no longer uses the abstract AF_UNIX namespace is that more processes could have connected to that, which isn't always desirable if you're using an app sandboxing framework like Flatpak.) > Isn't it a security problem? No, the D-Bus protocol has its own authentication mechanism which prevents other users from connecting to your socket successfully (they'll connect, try to authenticate and get disconnected). smcv
--- End Message ---
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
