Lintian Reports

E dbus-policy-excessively-broad

All reports of dbus-policy-excessively-broad for the archive. The extended description of this tag is:

The package contains D-Bus policy configuration that matches broad classes of messages. This will cause strange side-effects, is almost certainly unintended, and is a probable security flaw.

For instance,

      <policy user="daemon">
        <allow send_type="method_call"/>
        <allow send_destination="com.example.Bees"/>
      </policy>
    

in any system bus policy file would allow the daemon user to send any method call to any service, including method calls which are meant to be restricted to root-only for security, such as org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it allows that user to send any message to the com.example.Bees service.)

The intended policy for that particular example was probably more like

      <policy user="daemon">
        <allow send_type="method_call" send_destination="com.example.Bees"/>
      </policy>
    

which correctly allows method calls to that particular service only.

Refer to http://www.openwall.com/lists/oss-security/2015/01/27/25 for details.

Severity: error

Check: desktop/dbus

This tag has not been emitted in any package tested by Lintian.