On Unix, avoid a use-after-free if two usernames have the same numeric uid. In older versions this could lead to a crash (denial of service) or other undefined behaviour, possibly including incorrect authorization decisions if <policy group=...> is used. Like Unix filesystems, D-Bus' model of identity cannot distinguish between users of different names with the same numeric uid, so this configuration is not advisable on systems where D-Bus will be used. Reference: https://bugs.gentoo.org/755392
Created dbus tracking bugs for this issue: Affects: fedora-all [bug 1909102]
Upstream issue: https://gitlab.freedesktop.org/dbus/dbus/-/issues/305 Upstream patch: https://gitlab.freedesktop.org/dbus/dbus/-/commit/e75c67a28fa2bc41a8ab0de433a52355c71a8abf
Statement: Regarding the concern with D-Bus, users with the same UID are treated as the same user. As in Linux, multiple assumptions are made based on the fact that a user is identified by its UID. It is not advisable to have multiple users with different privileges and the same UID on systems where D-Bus is used. For these reasons, this vulnerability has been rated as having Low Impact.