*** This bug has been split off bug 146765 *** ------- Original comment by Josh Bressers (Security Response Team) on 2005.02.01 09:47 ------- This text was stolen from the freedesktop bugzilla https://bugs.freedesktop.org/show_bug.cgi?id=2436 If I login as root and create a session bus, then login as another user, I am able to use dbus-send to connect to root's session bus. To reproduce: Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the address. Run dbus-monitor --session Login as another user on a console, run: env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListServices The dbus-send gives a message about not being able to print the return value, and the dbus-monitor on root's session bus shows the ListServices request coming through. A patch exists in the upstream bugzilla.
Created attachment 110510 [details] Patch from upstream makes the bus only allow messages if sent from the session's uid
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-102.html