[pkg-wpa-devel] Bug#510652: Bug#510652: wpasupplicant: /etc/dbus-1/system.d file needs alterations for fd.o #18961

Simon McVittie smcv at debian.org
Sun Jan 4 23:05:20 UTC 2009 

On Mon, 05 Jan 2009 at 07:20:13 +1000, Kel Modderman wrote:
> On Monday 05 January 2009 06:56:08 Simon McVittie wrote:
> > Package: wpasupplicant
> > Version: 0.6.4-3
> > Severity: normal
> > User: pkg-utopia-maintainers at lists.alioth.debian.org
> > Usertags: fdo-18961
> > 
> > wpasupplicant's D-Bus system.d config should be updated to fix
> > non-deterministic allow/deny for messages with no interface; the D-Bus
> > upstream recommendation seems to be that every allow or deny rule with
> > send_interface="..." should have a suitable send_destination attribute too.
> > 
> > In this case, this would make them redundant with the lines matching
> > send_destination="...", so they can just be removed (see
> > http://bugzilla.gnome.org/show_bug.cgi?id=563730 for the equivalent
> > changes to NetworkManager).
> > 
> > http://bugs.freedesktop.org/show_bug.cgi?id=18961 is the D-Bus bug tracking
> > this; there have also been discussions on the D-Bus mailing list.
> > 
> > Regards from the Cambridge BSP,
> >     Simon
> > 
> 
> Is this different to #510652 ?

Sorry for the duplicate, I've spent today in a maze of D-Bus policy and
missed the previous bug I filed...

This is not RC for lenny, and indeed probably shouldn't be fixed in sid while
still frozen.

I believe the necessary change is to remove the lines mentioning
send_interface, like this:

 <!DOCTYPE busconfig PUBLIC
  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
         <policy user="root">
                 <allow own="fi.epitest.hostap.WPASupplicant"/>
 
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy group="netdev">
                 <allow send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <allow send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
         <policy context="default">
                 <deny own="fi.epitest.hostap.WPASupplicant"/>
                 <deny send_destination="fi.epitest.hostap.WPASupplicant"/>
-                <deny send_interface="fi.epitest.hostap.WPASupplicant"/>
         </policy>
 </busconfig>

However, please test with the new dbus
(<http://people.debian.org/~smcv/dbus-cve-2008-4311/>, or 1.2.8 from
experimental, or the upcoming 1.2.1-5 from sid/lenny, or something else with
CVE-2008-4311 fixed) before uploading changes to these policy files. To be
honest, a large part of the purpose of filing these bugs was in case we had
to upgrade them to RC later, but wpasupplicant seems to work OK.

Regards,
    Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-wpa-devel/attachments/20090104/01c3f583/attachment-0001.pgp

More information about the Pkg-wpa-devel mailing list