From: John (J5) Palmieri Date: Mon, 29 Aug 2005 20:19:19 +0000 (+0000) Subject: * Release 0.36.2 X-Git-Tag: dbus-0.50~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b701a78aca32394ff18a630f029cc75dbd34bc9e;p=thirdparty%2Fdbus.git * Release 0.36.2 * Add Havoc's patch that never got applied to HEAD (Bug #2436): * bus/policy.c (bus_policy_allow_user): change default "user is allowed" to be "user has same uid as the bus itself"; any allow/deny rules will override. * bus/session.conf.in: don't allow all users, since now by default the user that ran the bus can connect. --- diff --git a/ChangeLog b/ChangeLog index e8210afed..0bb0c24b9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,16 @@ +2005-08-29 John (J5) Palmieri + + * Release 0.36.2 + + * Add Havoc's patch that never got applied to HEAD (Bug #2436): + + * bus/policy.c (bus_policy_allow_user): change default "user is + allowed" to be "user has same uid as the bus itself"; any + allow/deny rules will override. + + * bus/session.conf.in: don't allow all users, since now by default + the user that ran the bus can connect. + 2005-08-26 Colin Walters * tools/dbus-print-message.c (print_message): Flush stdout diff --git a/NEWS b/NEWS index 887492a58..bafd8cf03 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +D-BUS 0.36.2 (29 August 2005) +=== +- Security: Restrict other users from connecting to another users + session bus + D-BUS 0.36.1 (24 August 2005) === - Python Bindings: diff --git a/bus/policy.c b/bus/policy.c index 7759dfad0..c0244bdcb 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -453,8 +453,9 @@ bus_policy_allow_user (BusPolicy *policy, uid); return FALSE; } - - allowed = FALSE; + + /* Default to "user owning bus" or root can connect */ + allowed = uid == _dbus_getuid (); allowed = list_allows_user (allowed, &policy->default_rules, diff --git a/bus/session.conf.in b/bus/session.conf.in index 8b6d65f70..1a6dfda54 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -19,8 +19,6 @@ - -