Lintian ReportsBETA

dbus-policy-excessively-broad

The package contains D-Bus policy configuration that matches broad classes of messages. This will cause strange side-effects, is almost certainly unintended, and is a probable security flaw.

For instance,

<policy user="daemon"> <allow send_type="method_call"/> <allow send_destination="com.example.Bees"/> </policy>

in any system bus policy file would allow the daemon user to send any method call to any service, including method calls which are meant to be restricted to root-only for security, such as org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it allows that user to send any message to the com.example.Bees service.)

The intended policy for that particular example was probably more like

<policy user="daemon"> <allow send_type="method_call" send_destination="com.example.Bees"/> </policy>

which correctly allows method calls to that particular service only.

For more information please consult:

The tag is present in Lintian version 2.114.163. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.111.0 release tag in our Git repository.

You can find the detection logic for this version at commit ffc17eb. For merge requests, please use the latest version in the Lintian check desktop/dbus.

Visibility: error

The following 1 source packages in the archive triggered the tag 1 times (in any Lintian version).

There were no overrides.