dbus-policy-excessively-broad
The package contains D-Bus policy configuration that matches broad classes of messages. This will cause strange side-effects, is almost certainly unintended, and is a probable security flaw.
For instance,
<policy user="daemon"> <allow send_type="method_call"/> <allow send_destination="com.example.Bees"/> </policy>
in any system bus policy file would allow the daemon
user to send
any method call to any service, including method calls which are meant to
be restricted to root-only for security, such as
org.freedesktop.systemd1.Manager.StartTransientUnit
. (In addition,
it allows that user to send any message to the com.example.Bees
service.)
The intended policy for that particular example was probably more like
<policy user="daemon"> <allow send_type="method_call" send_destination="com.example.Bees"/> </policy>
which correctly allows method calls to that particular service only.
For more information please consult:
The tag is present in Lintian version 2.114.163
.
That is the most recent version we know about.
We use semantic versions.
The patch number is a commit step indicator relative to the
2.114.0
release tag in our Git
repository.
You can find the detection logic for this version at commit ea05801. For merge requests, please use the latest version in the Lintian check desktop/dbus.
Visibility: error