Bug#510636: libosso: Has a dbus config file which circumvents all security messages on the system bus
Matthew Johnson
mjj29 at debian.org
Sun Jan 4 13:55:08 UTC 2009
On Sun Jan 04 13:40, Thijs Kinkhorst wrote:
> Hi, Matthew,
>
> > Tags: security
> >
> > libosso1 ships /etc/dbus-1/system.d/libosso.conf which turns off all the
> > security checks on the system bus by allowing all messages from everyone
> > to everyone else. This is bad mkay?
>
> As I understand it, "Maemo" is a kind of handheld device platform. I do not
> understand yet how this would be a security issue on such a device, can you
> clarify?
>
Well, it's in Debian main, so anyone can install it and if they do so
all security is instantly disabled on the system bus. It's not something
which should be encouraged, even on a handheld device. Anyway, there's
no reason to do that since people should just write the correct rules
anyway. I'm told that Maemo has two users anyway, root and user. This
will break any separation between them on the system bus.
Matt
--
Matthew Johnson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-maemo-maintainers/attachments/20090104/6ec4cd49/attachment.pgp
More information about the pkg-maemo-maintainers
mailing list