[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freedesktop-dbus
Subject:    Re: where is dbus 1.2 ?
From:       "Sergey Struzh" <sergeystruzh () gmail ! com>
Date:       2008-01-09 21:51:39
Message-ID: 7d434efe0801091351m797fc999t6289f3546b57b80f () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Havoc,

Back to the old thread...

Attached please find the patch to the dbus-daemon that enables using
ANONYMOUS auth mechanism in case the conf file enables it. You were right
the change is pertty simple; I tested it both against dbus-1.1.2 and latest
git repository - it seems to work well. I would appreciate if you include
this patch in the coming 1.2.0 release.

One issue of your possible concern may be that patched daemon will allow
ANONYMOUS connections if its conf file doesn't specify ANY auth mechanism
(which is the case for a default session.conf in ubuntu ditros for instance)
- so this might be a potencial security hole.

Couple of words regarding my rational to use ANONYMOUS auth mechanism - my
plan is to use dbus in my project (which is ARM based embedded device
running Linux) as central mean of IPC (daemon + various modules exposing
their API on it; c++ bindings) . TCP transport will only be used for testing
purposes ( e.g. invocation of various APIs from remote PC - testing server -
using test scripts written in Python) and only in clean environment - that's
why I don't really care of the security and ANONYMOUS is basically great for
me.


P.S. generous credits for actually producing the patch should go to Mr.
Andrey Olkhovik who happens to work under my guidance.

On 11/27/07, Havoc Pennington <hp@redhat.com> wrote:
>
> Hi,
>
> Sergey Struzh wrote:
> > So now my question is whether it was thought through already or when (if
>
> > ever) you're planning to do so? Is it your roadmap?
> >
>
> Not right now. What I mean by "thought through" is for example, I don't
> know why you would want a bus daemon that allowed anonymous access. So
> step one in thinking it through is to describe (on this list) some of
> the use-cases. Then we could talk about how to add the feature (which
> would presumably be pretty simple, just have the bus daemon call
> set_allow_anonymous() if ANONYMOUS is one of the auth mechanisms, or
> something).
>
> If the feature appears useful and we talk about how to add it, the
> remaining step would be for a volunteer to write a patch (which should
> be a very simple patch).
>
> For the system and session bus, I don't know why ANONYMOUS would be
> useful - so I am guessing you are using the bus daemon for some other
> custom purpose, with a custom config file?
>
> Havoc
>
>
>


-- 
Regards,

Sergey

[Attachment #5 (text/html)]

<div>Hi Havoc,</div>
<div>&nbsp;</div>
<div>Back to&nbsp;the old thread...</div>
<div>&nbsp;</div>
<div>Attached please find the patch to the dbus-daemon that enables using ANONYMOUS \
auth mechanism in case the conf file enables it. You were right the change is pertty \
simple; I tested it both against dbus-1.1.2 and latest git repository&nbsp;- it seems \
to work well. I would appreciate if you include this patch in the coming  1.2.0 \
release.</div> <div>&nbsp;</div>
<div>One issue&nbsp;of your possible&nbsp;concern may be that patched daemon will \
allow ANONYMOUS connections if its conf file doesn&#39;t specify ANY auth mechanism \
(which is the case for a default session.conf in ubuntu ditros for instance) - so \
this might be a potencial security hole.  </div>
<div>&nbsp;</div>
<div>Couple of words regarding my&nbsp;rational to use ANONYMOUS auth \
mechanism&nbsp;- my plan is to use dbus in my project (which is ARM based embedded \
device running Linux) as central mean of IPC (daemon + various modules exposing their \
API on it; c++ bindings) . TCP transport will only be used for testing purposes (  \
e.g. invocation of various APIs from remote PC - testing server - using test scripts \
written in Python) and only in clean environment - that&#39;s why I don&#39;t really \
care of the security and ANONYMOUS is basically great for me.  <br><br>&nbsp;</div>
<div>P.S. generous credits for actually producing the patch should go to Mr. Andrey \
Olkhovik who happens to work under my guidance.</div> <div>&nbsp;</div>
<div><span class="gmail_quote">On 11/27/07, <b class="gmail_sendername">Havoc \
Pennington</b> &lt;<a onclick="return top.js.OpenExtLink(window,event,this)" \
href="mailto:hp@redhat.com" target="_blank">hp@redhat.com</a>&gt; wrote:  </span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; \
BORDER-LEFT: rgb(204,204,204) 1px solid">Hi,<br><br>Sergey Struzh wrote:<br>&gt; So \
now my question is whether it was thought through already or when (if  <br>&gt; ever) \
you&#39;re planning to do so? Is it your roadmap?<br>&gt;<br><br>Not right now. What \
I mean by &quot;thought through&quot; is for example, I don&#39;t<br>know why you \
would want a bus daemon that allowed anonymous access. So  <br>step one in thinking \
it through is to describe (on this list) some of<br>the use-cases. Then we could talk \
about how to add the feature (which<br>would presumably be pretty simple, just have \
the bus daemon call<br>set_allow_anonymous() if ANONYMOUS is one of the auth \
mechanisms, or  <br>something).<br><br>If the feature appears useful and we talk \
about how to add it, the<br>remaining step would be for a volunteer to write a patch \
(which should<br>be a very simple patch).<br><br>For the system and session bus, I \
don&#39;t know why ANONYMOUS would be  <br>useful - so I am guessing you are using \
the bus daemon for some other<br>custom purpose, with a custom config \
file?<br><br>Havoc<br><br><br></blockquote></div><br><br clear="all"><br>-- \
<br>Regards,<br><br>Sergey 


["dbus-daemon-support-anonymous-patch.diff" (text/x-patch)]

--- bus/bus.c
+++ bus/bus.c
@@ -187,6 +187,14 @@ new_connection_callback (DBusServer     *server,
 
   dbus_connection_set_max_message_size (new_connection,
                                         context->limits.max_message_size);
+
+  /* if ANONYMOUS is allowed in the conf file (either 
+   * implicitely specified or when no auth mechanism is listed), this will
+   * enable connecting to the daemon using ANONYMOUS authentication (i.e.
+   * no authentication at all) - useful when using TCP sockets as the transport
+   * layer (BE CAREFUL!); otherwise - has no special effect 
+   */
+  dbus_connection_set_allow_anonymous(new_connection, TRUE);
   
   /* on OOM, we won't have ref'd the connection so it will die. */
 }


_______________________________________________
dbus mailing list
dbus@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dbus


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic