bleak icon indicating copy to clipboard operation
bleak copied to clipboard
verified publisher icon hbldh

Use AuthAnnonymous() when connecting to DBus over TCP

Open someDude12341 opened this issue 3 years ago • 5 comments

DBus-next defaults to using AuthExternal() when autenticating but this only works when we are working on the same machine.

Tested on Ubuntu 21.10.

someDude12341 avatar Mar 30 '22 14:03 someDude12341

This seems like it could be a security hole. What is the use case? It seems like it would be better to run Bleak on the same machine as BlueZ and use some sort of RPC instead.

dlech avatar Mar 30 '22 15:03 dlech

What is the use case?

Convenience during development.

someDude12341 avatar Mar 30 '22 15:03 someDude12341

This seems like it could be a security hole.

Absolutely, just not in Bleak. For this to be an thing you would first have to edit /etc/dbus-1/system-local.conf and /lib/systemd/system/dbus.socket on the host machine and re-define DBUS_SYSTEM_BUS_ADDRESS on your local machine.

I would argue that if someone make these kind of changes and don't know better than to remain on an isolated LAN then bigger security holes are at stake.

someDude12341 avatar Mar 30 '22 16:03 someDude12341

We recently made some similar changes in https://github.com/hbldh/bleak/pull/1182, so if this is still needed, would like to add a BLEAK_DBUS_AUTH_ANON environment variable check in the new get_dbus_authenticator() function and add a sentence or two to the new docs.

dlech avatar Dec 27 '22 14:12 dlech

Thanks for updating. I would rather use our own environment variable (e.g. BLEAK_DBUS_AUTH_ANON to opt in to this rather than using heuristics on the value of DBUS_SYSTEM_BUS_ADDRESS. Are there any problems with doing it that way?

Also, could you add a changelog entry?

dlech avatar Apr 13 '23 13:04 dlech