diff options
| -rw-r--r-- | ChangeLog | 13 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | bus/policy.c | 5 | ||||
| -rw-r--r-- | bus/session.conf.in | 2 |
4 files changed, 21 insertions, 4 deletions
@@ -1,3 +1,16 @@ +2005-08-29 John (J5) Palmieri <johnp@redhat.com> + + * Release 0.36.2 + + * Add Havoc's patch that never got applied to HEAD (Bug #2436): + + * bus/policy.c (bus_policy_allow_user): change default "user is + allowed" to be "user has same uid as the bus itself"; any + allow/deny rules will override. + + * bus/session.conf.in: don't allow all users, since now by default + the user that ran the bus can connect. + 2005-08-26 Colin Walters <walters@verbum.org> * tools/dbus-print-message.c (print_message): Flush stdout @@ -1,3 +1,8 @@ +D-BUS 0.36.2 (29 August 2005) +=== +- Security: Restrict other users from connecting to another users + session bus + D-BUS 0.36.1 (24 August 2005) === - Python Bindings: diff --git a/bus/policy.c b/bus/policy.c index 7759dfad..c0244bdc 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -453,8 +453,9 @@ bus_policy_allow_user (BusPolicy *policy, uid); return FALSE; } - - allowed = FALSE; + + /* Default to "user owning bus" or root can connect */ + allowed = uid == _dbus_getuid (); allowed = list_allows_user (allowed, &policy->default_rules, diff --git a/bus/session.conf.in b/bus/session.conf.in index 8b6d65f7..1a6dfda5 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -19,8 +19,6 @@ <allow eavesdrop="true"/> <!-- Allow anyone to own anything --> <allow own="*"/> - <!-- Allow any user to connect --> - <allow user="*"/> </policy> <!-- This is included last so local configuration can override what's |