Lintian tag: dbus-policy-excessively-broad
Type: error
Description (from lintian-explain-tags)
The package contains D-Bus policy configuration that matches broad classes
of messages. This will cause strange side-effects, is almost certainly
unintended, and is a probable security flaw.
For instance,
<policy user="daemon">
<allow send_type="method_call"/>
<allow send_destination="com.example.Bees"/>
</policy>
in any system bus policy file would allow the daemon user to send any
method call to any service, including method calls which are meant to be
restricted to root-only for security, such as
org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it
allows that user to send any message to the com.example.Bees service.)
The intended policy for that particular example was probably more like
<policy user="daemon">
<allow send_type="method_call" send_destination="com.example.Bees"/>
</policy>
which correctly allows method calls to that particular service only.
Please refer to http://www.openwall.com/lists/oss-security/2015/01/27/25
for details.
Visibility: error
Show-Always: no
Check: desktop/dbus
Affected packages
| source |
version |
binary |
level |
tag |
count |
information |
| geoclue-2.0 |
2.7.2-2 |
geoclue-2.0/2.7.2-2 |
overridden |
dbus-policy-excessively-broad |
9 |
<policy user="geoclue"><allow send_interface="org.freedesktop.DBus.Properties" send_path="/org/freedesktop/GeoClue2/Agent"/> [usr/share/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf:2] |
| openvpn3-client |
25+dfsg-2 |
openvpn3-client/25+dfsg-2 |
overridden |
dbus-policy-excessively-broad |
6 |
<policy user="_openvpn"><allow send_interface="org.freedesktop.DBus.Properties" send_type="method_call" send_member="Set"/> [usr/share/dbus-1/system.d/net.openvpn.v3.conf:2] |
| openvpn3-client |
25+dfsg-2 |
openvpn3-client/25+dfsg-2 |
overridden |
dbus-policy-excessively-broad |
6 |
<policy context="default"><allow send_path="/net/openvpn/v3/sessions" send_interface="org.freedesktop.DBus.Properties" send_type="method_call" send_member="Get"/> [usr/share/dbus-1/system.d/net.openvpn.v3.sessions.conf:23] |
| openvpn3-client |
25+dfsg-2 |
openvpn3-client/25+dfsg-2 |
overridden |
dbus-policy-excessively-broad |
6 |
<policy user="_openvpn"><allow send_interface="org.freedesktop.DBus.Properties" send_type="method_call" send_member="GetAll"/> [usr/share/dbus-1/system.d/net.openvpn.v3.conf:3] |
| openvpn3-client |
25+dfsg-2 |
openvpn3-client/25+dfsg-2 |
overridden |
dbus-policy-excessively-broad |
6 |
<policy user="_openvpn"><allow send_interface="org.freedesktop.DBus.Properties" send_type="method_call" send_member="Get"/> [usr/share/dbus-1/system.d/net.openvpn.v3.conf:1] |
| openvpn3-client |
25+dfsg-2 |
openvpn3-client/25+dfsg-2 |
overridden |
dbus-policy-excessively-broad |
6 |
<policy context="default"><allow send_path="/net/openvpn/v3/configuration" send_interface="org.freedesktop.DBus.Properties" send_type="method_call" send_member="Get"/> [usr/share/dbus-1/system.d/net.openvpn.v3.configuration.conf:22] |
