[system-tools-backends-clone] Fix D-Bus policy file to apply correctly with restricted branch

From: Milan Bouchet-Valat <milanbv src gnome org>
To: svn-commits-list gnome org
Cc:
Subject: [system-tools-backends-clone] Fix D-Bus policy file to apply correctly with restricted branch
Date: Wed, 19 Aug 2009 11:25:46 +0000 (UTC)

commit 8d2a8184cb80e541216ab228e555a9f8e0f0e089
Author: Milan Bouchet-Valat <nalimilan club fr>
Date:   Tue Aug 18 23:59:19 2009 +0200

    Fix D-Bus policy file to apply correctly with restricted branch
    
    Deny D-Bus access from normal users to modules by destination, not by interface (see http://bugs.freedesktop.org/show_bug.cgi?id=18961). Also explicitly allow root to communicate with all modules, to work with  CVE-2008-4311 fixed. Patch from Debian (05_cve_2008_4311.patch); thanks to Simon McVittie, Josselin Mouette and Colin Walters.

 org.freedesktop.SystemToolsBackends.conf |   18 +++++++++++++-----
 1 files changed, 13 insertions(+), 5 deletions(-)
---
diff --git a/org.freedesktop.SystemToolsBackends.conf b/org.freedesktop.SystemToolsBackends.conf
index 7908e47..d031525 100644
--- a/org.freedesktop.SystemToolsBackends.conf
+++ b/org.freedesktop.SystemToolsBackends.conf
@@ -22,11 +22,7 @@
     <allow send_interface="org.freedesktop.SystemToolsBackends.Platform" send_member="getPlatform"/>
     -->
 
-    <!-- configuration modules can't be accessed directly... -->
-    <deny send_interface="org.freedesktop.SystemToolsBackends"/>
-    <deny send_interface="org.freedesktop.SystemToolsBackends.Platform"/>
-
-    <!-- ...so petitions go through the dispatcher instead -->
+    <!-- Only allow talking to the dispatcher -->
     <allow send_destination="org.freedesktop.SystemToolsBackends"/>
   </policy>
 
@@ -51,5 +47,17 @@
          so any message to them has to go through the dispatcher -->
     <allow send_interface="org.freedesktop.SystemToolsBackends"/>
     <allow send_interface="org.freedesktop.SystemToolsBackends.Platform"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.Platform"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.GroupsConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.HostsConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.IfacesConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.NFSConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.NTPConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.ServicesConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.SMBConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.TimeConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.UserConfig"/>
+    <allow send_destination="org.freedesktop.SystemToolsBackends.UsersConfig"/>
   </policy>
 </busconfig>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]