[Bug 263716] devel/dbus: not allowed to own service due to security policies in configuration file
Date: Tue, 03 May 2022 01:01:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263716
--- Comment #7 from Slawomir Wojciech Wojtczak <vermaden@interia.pl> ---
I did not touched the configs - these files were installed from the packages.
/usr/local/etc/dbus-1/system.d/avahi-dbus.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root or user avahi can own the Avahi service -->
<policy user="avahi">
<allow own="org.freedesktop.Avahi"/>
</policy>
<policy user="root">
<allow own="org.freedesktop.Avahi"/>
</policy>
<!-- Allow anyone to invoke methods on Avahi server, except SetHostName -->
<policy context="default">
<allow send_destination="org.freedesktop.Avahi"/>
<allow receive_sender="org.freedesktop.Avahi"/>
<deny send_destination="org.freedesktop.Avahi"
send_interface="org.freedesktop.Avahi.Server"
send_member="SetHostName"/>
</policy>
<!-- Allow everything, including access to SetHostName to users of the group
"network" -->
<policy group="network">
<allow send_destination="org.freedesktop.Avahi"/>
<allow receive_sender="org.freedesktop.Avahi"/>
</policy>
<policy user="root">
<allow send_destination="org.freedesktop.Avahi"/>
<allow receive_sender="org.freedesktop.Avahi"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/ConsoleKit.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service -->
<policy user="root">
<allow own="org.freedesktop.ConsoleKit"/>
<!-- Allow all methods on interfaces -->
<allow send_destination="org.freedesktop.ConsoleKit"/>
</policy>
<!-- Deny all and then allow some methods on interfaces -->
<policy context="default">
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.DBus.Introspectable"/>
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"/>
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"/>
<deny send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.DBus.Properties" />
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Restart"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanRestart"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Stop"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanStop"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Reboot"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanReboot"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="PowerOff"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanPowerOff"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Suspend"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanSuspend"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Hibernate"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanHibernate"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="HybridSleep"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CanHybridSleep"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="Inhibit"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="ListInhibitors"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="OpenSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="CloseSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="ListSeats"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSeats"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessions"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessionForCookie"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessionForUnixProcess"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessionByPID"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetCurrentSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessionsForUnixUser"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSessionsForUser"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="ActivateSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="ActivateSessionOnSeat"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSystemIdleHint"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Manager"
send_member="GetSystemIdleSinceHint"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="GetId"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="GetName"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="GetSessions"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="GetDevices"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="GetActiveSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="CanActivateSessions"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="ActivateSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Seat"
send_member="SwitchTo"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetId"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetSeatId"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetLoginSessionId"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetSessionType"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetSessionClass"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetSessionState"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetUser"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetUnixUser"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetXDGRuntimeDir"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetX11Display"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetX11DisplayDevice"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetDisplayDevice"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetRemoteHostName"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetVTNr"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="IsActive"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="IsLocal"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetCreationTime"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="Activate"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetIdleHint"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="SetIdleHint"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="GetIdleSinceHint"/>
<allow send_interface="org.freedesktop.ConsoleKit.Session"
send_member="SetIdleHint"/>
<allow send_interface="org.freedesktop.ConsoleKit.Session"
send_member="SetLockedHint"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="CanControlSession"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="TakeControl"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="ReleaseControl"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="TakeDevice"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="ReleaseDevice"/>
<allow send_destination="org.freedesktop.ConsoleKit"
send_interface="org.freedesktop.ConsoleKit.Session"
send_member="PauseDeviceComplete"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/cups.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can send this message -->
<policy user="root">
<allow send_interface="com.redhat.PrinterSpooler"/>
</policy>
<!-- Allow any connection to receive the message -->
<policy context="default">
<allow receive_interface="com.redhat.PrinterSpooler"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/dbus-wpa_supplicant.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="fi.w1.wpa_supplicant1"/>
<allow send_destination="fi.w1.wpa_supplicant1"/>
<allow send_interface="fi.w1.wpa_supplicant1"/>
<allow receive_sender="fi.w1.wpa_supplicant1"
receive_type="signal"/>
</policy>
<policy context="default">
<deny own="fi.w1.wpa_supplicant1"/>
<deny send_destination="fi.w1.wpa_supplicant1"/>
<deny receive_sender="fi.w1.wpa_supplicant1"
receive_type="signal"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/org.freedesktop.ColorManager.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- This configuration file specifies the required security policies
for the ColorManager to work. -->
<!-- Only user root or user colord can own the colord service -->
<policy user="root">
<allow own="org.freedesktop.ColorManager"/>
</policy>
<policy user="colord">
<allow own="org.freedesktop.ColorManager"/>
</policy>
<!-- Allow anyone to call into the service - we'll reject callers using
PolicyKit -->
<policy context="default">
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.ColorManager"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.ColorManager.Profile"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.ColorManager.Device"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.ColorManager.Sensor"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.ColorManager"
send_interface="org.freedesktop.DBus.Peer"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/org.freedesktop.GeoClue2.Agent.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow send_interface="org.freedesktop.GeoClue2.Agent"
send_path="/org/freedesktop/GeoClue2/Agent"/>
<allow send_interface="org.freedesktop.DBus.Properties"
send_path="/org/freedesktop/GeoClue2/Agent"/>
</policy>
<policy user="root">
<allow send_interface="org.freedesktop.GeoClue2.Agent"
send_path="/org/freedesktop/GeoClue2/Agent"/>
<allow send_interface="org.freedesktop.DBus.Properties"
send_path="/org/freedesktop/GeoClue2/Agent"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/org.freedesktop.GeoClue2.conf
===============================================================================
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy context="default">
<!-- Allow everyone to talk to main service. We'll later add an agent to
only share the location if user allows it. -->
<allow send_destination="org.freedesktop.GeoClue2"/>
</policy>
<policy user="root">
<!-- Only allow root to own the name on the bus -->
<allow own="org.freedesktop.GeoClue2"/>
<!-- Also give root access to wpa_supplicant API -->
<allow receive_sender="fi.w1.wpa_supplicant1"
receive_type="signal"/>
<allow send_destination="fi.w1.wpa_supplicant1"
send_interface="org.freedesktop.DBus.Properties"
send_member="Get"/>
<allow send_destination="fi.w1.wpa_supplicant1"
send_interface="org.freedesktop.DBus.Properties"
send_member="GetAll"/>
<allow send_destination="fi.w1.wpa_supplicant1"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="fi.w1.wpa_supplicant1"
send_interface="fi.w1.wpa_supplicant1.Interface"
send_type="method_call"
send_member="Scan"/>
</policy>
<policy user="root">
<!-- Allow root to own the name on the bus -->
<allow own="org.freedesktop.GeoClue2"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="polkitd">
<allow own="org.freedesktop.PolicyKit1"/>
</policy>
<policy context="default">
<allow send_destination="org.freedesktop.PolicyKit1"/>
</policy>
<!-- Allow uid 0 to send messages on the
org.freedesktop.PolicyKit1.AuthenticationAgent interface -->
<policy user="polkitd">
<allow send_interface="org.freedesktop.PolicyKit1.AuthenticationAgent"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/org.freedesktop.UDisks2.conf
===============================================================================
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service -->
<policy user="root">
<allow own="org.freedesktop.UDisks2"/>
</policy>
<!-- Anyone can send messages to the owner of org.freedesktop.UDisks2 -->
<policy context="default">
<allow send_destination="org.freedesktop.UDisks2"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/system.d/pulseaudio-system.conf
===============================================================================
<?xml version="1.0"?><!--*-nxml-*-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration
1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<!--
This file is part of PulseAudio.
PulseAudio is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.
PulseAudio is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General
Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with PulseAudio; if not, see <http://www.gnu.org/licenses/>.
-->
<busconfig>
<!-- System-wide PulseAudio runs as 'pulse' user. This fragment is
not necessary for user PulseAudio instances. -->
<policy user="pulse">
<allow own="org.pulseaudio.Server"/>
</policy>
</busconfig>
/usr/local/etc/dbus-1/session.conf
===============================================================================
<!--
This configuration file is no longer required and may be removed.
In older versions of dbus, this file defined the behaviour of the well-known
session bus. That behaviour is now determined by
/usr/local/share/dbus-1/session.conf, which should not be edited.
For local configuration changes, create a file
session-local.conf or files matching session.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.
For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/local/share/dbus-1/session.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration
1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig></busconfig>
/usr/local/etc/dbus-1/system.conf
===============================================================================
<!--
This configuration file is no longer required and may be removed.
In older versions of dbus, this file defined the behaviour of the well-known
system bus. That behaviour is now determined by
/usr/local/share/dbus-1/system.conf, which should not be edited.
For local configuration changes, create a file
system-local.conf or files matching system.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.
For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/local/share/dbus-1/system.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration
1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig></busconfig>
Regards.
--
You are receiving this mail because:
You are the assignee for the bug.