Package: dbus Version: 1.12.10-1 Severity: important Tags: security Currently, dbus logs commands and their parameters, e.g. from my system (parts masked out with ##) Nov 3 13:57:16 samd dbus-daemon[2402]: [session uid=1000 pid=2400] Activating service name='org.a11y.Bus' requested by ':1.3' (uid=1000 pid=9366 comm="java ###") Nov 13 07:30:37 samd dbus-daemon[577]: [system] Activating via systemd: service name='org.bluez' unit='dbus-org.bluez.service' requested by ':1.32' (uid=1001 pid=3411 comm="/usr/lib/chromium/chromium --show-component-extens") Nov 18 12:57:23 samd dbus-daemon[2879]: [session uid=1000 pid=2877] Activating service name='org.kde.ActivityManager' requested by ':1.6' (uid=1000 pid=3231 comm="okular ####") Nov 21 09:45:13 samd at-spi-bus-launcher[3054]: dbus-daemon[3170]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1001 pid=3098 comm="/usr/bin/kuiserver ") Nov 22 07:51:39 samd dbus-daemon[2759]: [session uid=1001 pid=2759] Activating via systemd: service name='org.gnome.evince.Daemon' unit='org.gnome.Evince.service' requested by ':1.84' (uid=1001 pid=4154 comm="/usr/bin/evince ####")
The string after service name= varies, typical parameters are
org.a11y.Bus, org.kde.ActivityManager, ca.desrt.dconf,
org.kde.kglobalaccel
Parameter often include file names, e.g. for okular, evince, …
These commands and their parameters do not belong into the system log.
These are private data. Of course, if the system administrator chooses
to spy on a user, he can so so. But by default this should not be the
case.
Consider the typical szenario, where dozens (hundreds) of systems are
operated (like at my job) on Linux systems. The logs might (should) be
aggregated to some server and analysed for malfunction. If this
unnecessary private data is stored there as well, it is a "nice"
target for people wanting to observer the users, very unlikely to get
noticed, not even necessary to leave traces on the machine of the
user.
Additionally:
In some jurisdictions, processing of private data is heavily
regulated, e.g. in Europe with the GDPR. Avoiding logging those
private data makes it much easier for system administrators to be
compliant as well. Otherwiese they would need fancy filters (maybe
logcheck would suffice?) to avoid those data to be stored.
I tagged this security, as I'm not sure if privacy related issues are
treated as security issues as well and in more sensitive environemnts
the need-to-know principle is implemented, meaning that sensitive
information like file names processed should by default not be
disclosed as well, doing so might be security relevant.
I can see the following possible actions, in the order of preference:
1) dbus-daemon does not log this information by default.
As far as I can see, these messages are useless in normal
operation. If debugging is required (or problems arise on a
machine) then of course logging them could be re-enabled.
2) dbus-daemon logs much less by default.
This would imply at least the removal of the "comm" part, possibly
unless errors occur. There should be a clear description of how to
remove the logging altogether as well.
3) Filter sensitive information out of the logging stream.
Using tools like "logcheck" to filter out those messages. However,
this can only be a band aid, as administrators would need to
install additional software, so a good description should be placed
at a suitable position, and the tool (e.g. logcheck) should be
recommended by dbus by default, to ensure good coverage.
I'm not sure if logcheck is the right tool, as it by default sends
e-mails an leaves the logs otherwise unaltered, so if centralized
processing happens, logchecking does not interfere.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dbus depends on:
ii adduser 3.118
ii libapparmor1 2.13.1-3+b1
ii libaudit1 1:2.8.4-2
ii libc6 2.27-8
ii libcap-ng0 0.7.9-1
ii libdbus-1-3 1.12.10-1
ii libexpat1 2.2.6-1
ii libselinux1 2.8-1+b1
ii libsystemd0 239-13
ii lsb-base 9.20170808
dbus recommends no packages.
Versions of packages dbus suggests:
ii dbus-user-session [default-dbus-session-bus] 1.12.10-1
ii dbus-x11 [dbus-session-bus] 1.12.10-1
Versions of packages dbus is related to:
ii dbus-x11 1.12.10-1
ii systemd 239-13
ii systemd-sysv 239-13
-- no debconf information
--
Dr. Helge Kreutzmann deb...@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
signature.asc
Description: Digital signature
_______________________________________________ Pkg-utopia-maintainers mailing list Pkg-utopia-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
