diff options
| author | Milan Bouchet-Valat <nalimilan@club.fr> | 2009-08-18 23:59:19 +0200 |
|---|---|---|
| committer | Milan Bouchet-Valat <nalimilan@club.fr> | 2009-08-19 13:25:29 +0200 |
| commit | 8d2a8184cb80e541216ab228e555a9f8e0f0e089 (patch) | |
| tree | be384ca857dc76dc17088ebd609e275241efef73 | |
| parent | 65b0c818a4eb8be6ec71cb486829d2f77db54906 (diff) | |
Fix D-Bus policy file to apply correctly with restricted branch
Deny D-Bus access from normal users to modules by destination, not by interface (see http://bugs.freedesktop.org/show_bug.cgi?id=18961). Also explicitly allow root to communicate with all modules, to work with CVE-2008-4311 fixed. Patch from Debian (05_cve_2008_4311.patch); thanks to Simon McVittie, Josselin Mouette and Colin Walters.
| -rw-r--r-- | org.freedesktop.SystemToolsBackends.conf | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/org.freedesktop.SystemToolsBackends.conf b/org.freedesktop.SystemToolsBackends.conf index 7908e47..d031525 100644 --- a/org.freedesktop.SystemToolsBackends.conf +++ b/org.freedesktop.SystemToolsBackends.conf @@ -22,11 +22,7 @@ <allow send_interface="org.freedesktop.SystemToolsBackends.Platform" send_member="getPlatform"/> --> - <!-- configuration modules can't be accessed directly... --> - <deny send_interface="org.freedesktop.SystemToolsBackends"/> - <deny send_interface="org.freedesktop.SystemToolsBackends.Platform"/> - - <!-- ...so petitions go through the dispatcher instead --> + <!-- Only allow talking to the dispatcher --> <allow send_destination="org.freedesktop.SystemToolsBackends"/> </policy> @@ -51,5 +47,17 @@ so any message to them has to go through the dispatcher --> <allow send_interface="org.freedesktop.SystemToolsBackends"/> <allow send_interface="org.freedesktop.SystemToolsBackends.Platform"/> + <allow send_destination="org.freedesktop.SystemToolsBackends"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.Platform"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.GroupsConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.HostsConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.IfacesConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.NFSConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.NTPConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.ServicesConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.SMBConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.TimeConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.UserConfig"/> + <allow send_destination="org.freedesktop.SystemToolsBackends.UsersConfig"/> </policy> </busconfig> |