dbus-policy-excessively-broad

The package contains D-Bus policy configuration that matches broad classes of messages. This will cause strange side-effects, is almost certainly unintended, and is a probable security flaw.

For instance,

in any system bus policy file would allow the daemon user to send any method call to any service, including method calls which are meant to be restricted to root-only for security, such as org.freedesktop.systemd1.Manager.StartTransientUnit. (In addition, it allows that user to send any message to the com.example.Bees service.)

The intended policy for that particular example was probably more like

which correctly allows method calls to that particular service only.

Severity:	error
Experimental:	false

See also

• http://www.openwall.com/lists/oss-security/2015/01/27/25

• list of all the affected packages
• the source of this tag

Generated by Lintian SSG v0.7.0-28-g559962f (lintian v2.118.1) on Sat, 07 Sep 2024 19:15:02 UTC - Source code and bugs
Copyright © 1998-2024 Lintian authors

Hosted by CLUB1