On 2025-05-09 10:25, Jeremy Bícha wrote:
On Fri, May 9, 2025 at 11:27 AM Antonio Russo <aeru...@aerusso.net> wrote:
I'm tagging this bug as a security bug because it needlessly
starts a process that should not be running as root.
Have you sent your patch to the security contact at
https://www.bluez.org/development/security-bugs/ yet?
I emailed their general mailing list on 1/26, and secur...@bluez.org on 3/21.
I have heard no response on any channel regarding this until you replied
(thank you for looking at this).
I wouldn't consider myself a security expert, but I don't think this
is a security bug and that the importance you have set is too high.
From the trixie release policy [1], 5(b):
(b) Security
Programs must be setup to use the minimum privileges they can. (ie,
not setuid where setgid will suffice; not setuid root where setuid
some other user will suffice; setuid root for the minimum period
possible, etc)
In addition to this program not needing root privileges, mpris-proxy is
specifically intended to only be run as an unprivileged user.
It is fairly rare in Debian to use ConditionUser=!root
https://codesearch.debian.net/search?q=ConditionUser.*root&literal=0
Remember, only units that the default.target depends on would absolutely
need these (though, given arguments I have heard against disabling
systemd user sessions entirely for privileged users, I think this
conditions should be more liberally applied).
That doesn't mean that we shouldn't make your requested change, but if
this is a security vulnerability, then there could be thousands of
similar vulnerabilities!
Given how few things on my system are depended on by default.target on
my machine, I doubt this. You might check this on your own system, but I
suspect it is less than a dozen.
Also, specific to this bug, I think limiting running bluetooth
services as root probably outweighs more generic "but this broke my
workflow" arguments that might be more relevant for local-only
privilege elevation problems.
Imagine the kind of doomsday security vulnerability that is opened
up by running mpris-proxy.service if there is a privilege elevation
attack in that service: somebody walks by you, and installs a rootkit
on your machine (provided you have bluetooth enabled).
We are effectively in Hard Freeze for Trixie so at this point I am
leaning towards not requesting an unblock from the Debian Release Team
to try to get this change into Trixie.
I do not believe that being in any stage of the release process should
discourage anyone from addressing security concerns in Debian. In fact,
given the slow-down in package churn, the later stages of the release
represent an excellent point in time for security testers to really dig
into the system integration issues that show up in complicated software
like Debian.
Thank you,
Jeremy Bícha
Best,
Antonio Russo
[1] https://release.debian.org/trixie/rc_policy.txt
