Lintian Reports (Beta Testing)

E dbus-policy-excessively-broad

The package contains D-Bus policy configuration that matches broad classes of messages. This will cause strange side-effects, is almost certainly unintended, and is a probable security flaw.

For instance,

<policy user="daemon"> <allow send_type="method_call"/> <allow send_destination="com.example.Bees"/> </policy>

in any system bus policy file would allow the daemon user to send any method call to any service, including method calls which are meant to be restricted to root-only for security, such as org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it allows that user to send any message to the com.example.Bees service.)

The intended policy for that particular example was probably more like

<policy user="daemon"> <allow send_type="method_call" send_destination="com.example.Bees"/> </policy>

which correctly allows method calls to that particular service only.

Refer to http://www.openwall.com/lists/oss-security/2015/01/27/25 for details.

Severity: error

Check: desktop/dbus

These source packages in the archive trigger the tag.