Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use AuthAnnonymous() when connecting to DBus over TCP #796

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

someDude12341
Copy link

DBus-next defaults to using AuthExternal() when autenticating but this only works when we are working on the same machine.

Tested on Ubuntu 21.10.

@dlech
Copy link
Collaborator

dlech commented Mar 30, 2022

This seems like it could be a security hole. What is the use case? It seems like it would be better to run Bleak on the same machine as BlueZ and use some sort of RPC instead.

@someDude12341
Copy link
Author

What is the use case?

Convenience during development.

@someDude12341
Copy link
Author

This seems like it could be a security hole.

Absolutely, just not in Bleak. For this to be an thing you would first have to edit /etc/dbus-1/system-local.conf and /lib/systemd/system/dbus.socket on the host machine and re-define DBUS_SYSTEM_BUS_ADDRESS on your local machine.

I would argue that if someone make these kind of changes and don't know better than to remain on an isolated LAN then bigger security holes are at stake.

@dlech
Copy link
Collaborator

dlech commented Dec 27, 2022

We recently made some similar changes in #1182, so if this is still needed, would like to add a BLEAK_DBUS_AUTH_ANON environment variable check in the new get_dbus_authenticator() function and add a sentence or two to the new docs.

@someDude12341 someDude12341 force-pushed the fix-Dbus_over-TCP branch 2 times, most recently from bfcb1fd to 7c3c0ef Compare April 13, 2023 08:54
@dlech
Copy link
Collaborator

dlech commented Apr 13, 2023

Thanks for updating. I would rather use our own environment variable (e.g. BLEAK_DBUS_AUTH_ANON to opt in to this rather than using heuristics on the value of DBUS_SYSTEM_BUS_ADDRESS. Are there any problems with doing it that way?

Also, could you add a changelog entry?

DBus-next defaults to using AuthExternal() when autenticating but this only works when we are working on the same machine.

Tested on Ubuntu 21.10.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants