This text was stolen from the freedesktop bugzilla https://bugs.freedesktop.org/show_bug.cgi?id=2436 If I login as root and create a session bus, then login as another user, I am able to use dbus-send to connect to root's session bus. To reproduce: Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the address. Run dbus-monitor --session Login as another user on a console, run: env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListServices The dbus-send gives a message about not being able to print the return value, and the dbus-monitor on root's session bus shows the ListServices request coming through. A patch exists in the upstream bugzilla.
John, can you virify this note sent by Havoc Note that this only affects the per-user session bus. Right now I think we only use that for printing. So the impact is you could use this bug to print jobs as another user or view someone's jobs. This would not affect HAL or anything like that.
verified. Worst that can happen is another user sends signals that print jobs have been started or canceled (Note this is only for notification. Other users can not control the print queue). Disconnected signals are stopped at the bus so there is no way to make eggcups crash. Other than that there are currently no other services that use the session bus. I have RHEL-4, FC-3 and rawhide patched on my local machine. Risk is low. I am going to start filling out errata.
Fix went through Fedora Update procedure