On Tue, 4 Jul 2023 at 09:28, Josh Triplett <j...@joshtriplett.org> wrote: > > Simon McVittie wrote: > > For example, dbus-daemon can only usefully have hardening applied if it > > was built with traditional (non-systemd) service activation disabled, > > which we cannot usefully do in Debian for two reasons: because we support > > non-systemd init systems, and because we don't (currently) require > > every D-Bus system service to have a corresponding systemd system unit. > > Because of the way traditional activation works, a child process of a > > setuid-root helper that is run by dbus-daemon must be allowed to exercise > > any privilege that might legitimately be needed by any D-Bus-activated > > system service, which rules out otherwise useful things like ProtectSystem. > > If we do want to further lock down D-Bus, we could have the D-Bus > package build a variant that doesn't support traditional activation (for > use on systemd-only systems), and a variant that does (for use on other > systems). Then, we could work towards ensuring every D-Bus service > supports service-based activation rather than only traditional > activation. Over the course of a release cycle or so, we *could* get to > the point of being able to lock down D-Bus on systemd systems.
Note that we already have such a package in the archive: dbus-broker. It has been the default in Fedora for a long time, and it will be the default in Ubuntu in the future. It has been available in Debian since Bullseye - please help out testing it by installing it. No configuration is required, just installing dbus-broker and rebooting. It comes with some sandboxing by default (ProtectSystem=full), and I'm sure it could use more. Kind regards, Luca Boccassi
