From: Simon McVittie Date: Fri, 14 Nov 2014 19:14:13 +0000 (+0000) Subject: README, HACKING: add some brief notes on reporting security vulnerabilities X-Git-Tag: dbus-1.8.12~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34e5fdee4e5e43b8563e6e02b8bdc94c083b2f47;p=thirdparty%2Fdbus.git README, HACKING: add some brief notes on reporting security vulnerabilities We now have a private mailing list that can be the security contact. --- diff --git a/HACKING b/HACKING index 8c993b66d..2fed9e6c4 100644 --- a/HACKING +++ b/HACKING @@ -11,6 +11,11 @@ of patches, etc. should go there. Security === +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group". + Most of D-Bus is security sensitive. Guidelines related to that: - avoid memcpy(), sprintf(), strlen(), snprintf, strlcat(), diff --git a/README b/README index aea83300c..0257e69dd 100644 --- a/README +++ b/README @@ -29,6 +29,25 @@ If your use-case isn't one of these, D-Bus may still be useful, but only by accident; so you should evaluate carefully whether D-Bus makes sense for your project. +Security +== + +If you find a security vulnerability that is not known to the public, +please report it privately to dbus-security@lists.freedesktop.org +or by reporting a freedesktop.org bug that is marked as +restricted to the "D-BUS security group" (you might need to "Show +Advanced Fields" to have that option). + +On Unix systems, the system bus (dbus-daemon --system) is designed +to be a security boundary between users with different privileges. + +On Unix systems, the session bus (dbus-daemon --session) is designed +to be used by a single user, and only accessible by that user. + +We do not currently consider D-Bus on Windows to be security-supported, +and we do not recommend allowing untrusted users to access Windows +D-Bus via TCP. + Note: low-level API vs. high-level binding APIs ===