On Fri, 23 Jul 2010 at 11:36:00 -0400, Christian Weeks wrote: > I have to manually, on each upgrade of dbus, do the chmod to add o+x, > otherwise DBus fails to launch stuff. (This is probably a big security > hole which is why it's not set that way but..)
The intended security model is:
* dbus-daemon runs as uid messagebus, gid messagebus
* group messagebus has no other members
* dbus-daemon-launch-helper is executable by messagebus, only
Is your messagebus *group* in LDAP, or in /etc/group, or both?
What is the messagebus group's numeric GID?
What groups does the system dbus-daemon have? You can get this with:
cat /proc/$its_pid/status
The intended setup is something like this: on my system, user 103 is
the messagebus user, group 104 is the messagebus group, and the system bus is
process 2354.
s...@reptile% grep messagebus /etc/passwd
messagebus:x:103:104::/var/run/dbus:/bin/false
s...@reptile% grep messagebus /etc/group
messagebus:x:104:
s...@reptile% pgrep dbus-daemon | xargs ps
PID TTY STAT TIME COMMAND
2354 ? Ss 0:14 /usr/bin/dbus-daemon --system
...
s...@reptile% egrep 'Uid|Gid|Group' /proc/2354/status
Uid: 103 103 103 103
Gid: 104 104 104 104
Groups:
s...@reptile% ls -ln /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-- 1 0 104 45936 Jul 17 14:31
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
^ ^
| \-- this is the messagebus group
\-- this is the root user
> Fine, however, I don't understand how I have misconfigured, if I have.
> It was a working setup for the prior three years and only broke when the
> new dbus landed about 6 months ago (The upgrade from dbus 1.2.16-2 to
> 1.2.20-2 is where I noticed the problem start occuring).
That might well coincide with the introduction of dbus-daemon-launch-helper
(system bus activation). Before that, system services like Avahi had to run
as a separate daemon (as root), then connect to the system bus.
Simon
signature.asc
Description: Digital signature
