1

Recently I have tried to improve the safety/security of my system by using Linux Security Modules LSM like (apparmor, grsecurity or NSA Selinux). In my case apparmor.

Trying to limit untrusted binary BLOB "Microsoft Skype" software I run into the problem that Skype effectively uses D-Bus. I fear now that potential risk linked to opening access to D-Bus and privilege escalation, in short open door caused by D-Bus if not configured correctly. (i.e. Something of this sort http://www.websecuritywatch.com/privilege-escalation-via-a-dbus-vilnerabilitiy/)

Is there a guide how I can configure D-Bus in a way that it limits the mischief and trouble a program can do? I would very much like to have a Guide that focuses on the safety configuration of D-Bus.

The only thing I have found at present is http://www.redhat.com/magazine/003jan05/features/dbus/#security

which is not very helpful and rather frustrating as to my understanding it suggests that the price for the D-Bus "functionality" is yet another extensive and overarching security setup in addition to the trouble to setup already the LSM.

This is why I would appreciate if somebody could indicate me if and where there is information about configuring D-Bus safely.

Braiam
  • 35,380
  • 25
  • 108
  • 167
humanityANDpeace
  • 13,722
  • 13
  • 61
  • 107
  • Didn't you read the maintainers words " NOTE: libdbus maintainers state that **this is a vulnerability in the applications** that do not cleanse environment variables, not in libdbus itself"? – Braiam Mar 27 '14 at 17:34
  • @Braiam indeed I did. I nonetheless wanted to add a refenrence that gives some reason to why I expect a safety configuration to be necessary. I could imagine that some risks (i.e. data sniffing) could happen (i.e. from skype via Dbus). I will try to find or add better examples. By the way thanks for the edit! – humanityANDpeace Mar 27 '14 at 17:36
  • @Braiam In some sence this question ["Dbus: is there such a thing as a “Dbus sniffer”?"](http://stackoverflow.com/q/1477174/1711186) gave me reason to think D-Bus = risk? => need to configure safely! – humanityANDpeace Mar 27 '14 at 17:39
  • not particulariy helpful but yet still a start is this http://dbus.freedesktop.org/doc/dbus-daemon.1.html A guide as asked for in this question would be essentially the same but (1) with examples and (2) easier understandable – humanityANDpeace Mar 27 '14 at 18:51

0 Answers0