I need to restrict the client of a D-Bus service to only the user logged into the system locally, via ConsoleKit or systemd. How must I configure or write the D-Bus service to do so?
Asked
Active
Viewed 442 times
3
-
You mean block it from remote login (eg. ssh, telnet) user? – John Siu Dec 26 '12 at 20:09
-
No. I mean block it from other arbitrary processes that decide to connect to it. – Ignacio Vazquez-Abrams Dec 26 '12 at 20:12
-
D-Bus by default (debian/ubuntu) use unix socket, so there is no ip connection. On the other hand, dbus can be configured to only allow specific local users, is that what you looking for? – John Siu Dec 26 '12 at 20:15
-
I want to allow only **a** specific user, namely the one that is logged in at the console. – Ignacio Vazquez-Abrams Dec 26 '12 at 20:24
-
So you want to limit dbus connection NOT by name, NOT by group, but by the following 2 conditions: (1) user is currently login (2) user is login locally. – John Siu Dec 27 '12 at 03:55
-
@John: That is correct. – Ignacio Vazquez-Abrams Dec 27 '12 at 04:10
-
If the box is not running x window, maybe doable. But even that I don't know how to start, lol. – John Siu Dec 27 '12 at 04:57
-
It's definitely running X. Which is why I want to query ConsoleKit or systemd; they'd know who it is. – Ignacio Vazquez-Abrams Dec 27 '12 at 04:59
-
Maybe this: https://github.com/airtonix/userland-dbus-event-manager#readme – John Siu Dec 27 '12 at 23:27
-
I don't need to watch for events as my D-Bus service will know exactly when it will need to check the user: whenever a connection to the service is made. That may come in handy for other things though. – Ignacio Vazquez-Abrams Dec 28 '12 at 03:30
-
Frankly speaking, this is completely out of my knowledge scope. However your question (and responses :D ) push me searching and reading, as this seems to be security related. Back to topic, according to [this](https://wiki.archlinux.org/index.php/D-Bus), dbus is a dependency of systemd. So I am not sure if it is suitable to be restricted like what you want it to be. – John Siu Dec 28 '12 at 03:43
-
I re-read your question and seems I misunderstand it before. You want to implement the restriction for a specific custom service/daemon, NOT the dbus server/service, right? – John Siu Dec 29 '12 at 06:06
-
@John: That is correct. – Ignacio Vazquez-Abrams Dec 29 '12 at 06:55