Lintian tag: dbus-policy-excessively-broad
Type: error
Description (from lintian-explain-tags)
The package contains D-Bus policy configuration that matches broad classes
of messages. This will cause strange side-effects, is almost certainly
unintended, and is a probable security flaw.
For instance,
<policy user="daemon">
<allow send_type="method_call"/>
<allow send_destination="com.example.Bees"/>
</policy>
in any system bus policy file would allow the daemon user to send any
method call to any service, including method calls which are meant to be
restricted to root-only for security, such as
org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it
allows that user to send any message to the com.example.Bees service.)
The intended policy for that particular example was probably more like
<policy user="daemon">
<allow send_type="method_call" send_destination="com.example.Bees"/>
</policy>
which correctly allows method calls to that particular service only.
Please refer to http://www.openwall.com/lists/oss-security/2015/01/27/25
for details.
Visibility: error
Show-Always: no
Check: desktop/dbus
Affected packages
| source |
version |
binary |
tag type |
tag |
information |
count |
| geoclue-2.0 |
2.7.1-2 |
geoclue-2.0/2.7.1-2+b2 |
overridden |
dbus-policy-excessively-broad |
<policy user="geoclue"><allow send_interface="org.freedesktop.DBus.Properties" send_path="/org/freedesktop/GeoClue2/Agent"/> [usr/share/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf:2] |
9 |