Running as a dedicated dbus users is better from both a security and an
isolation perspective than running as root.
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <[email protected]>
CATEGORY:=Utilities
TITLE:=Simple interprocess messaging system
URL:=https://dbus.freedesktop.org/
+ USERID:=dbus=91:dbus=91
endef
define Package/dbus/Default/description
$(INSTALL_BIN) ./files/dbus.init $(1)/etc/init.d/dbus
$(INSTALL_DIR) $(1)/usr/share/dbus-1
$(CP) $(PKG_INSTALL_DIR)/usr/share/dbus-1 $(1)/usr/share/
+ $(INSTALL_DIR) $(1)/etc/capabilities
+ $(INSTALL_DATA) ./files/dbus.json $(1)/etc/capabilities
endef
define Package/dbus-utils/install
start_service() {
mkdir -m 0755 -p /var/lib/dbus
mkdir -m 0755 -p /var/run/dbus
+ chown dbus:dbus /var/lib/dbus /var/run/dbus
[ -x /usr/bin/dbus-uuidgen ] && /usr/bin/dbus-uuidgen --ensure
[ -n "$DEBUG" ] && procd_set_param env DBUS_VERBOSE=1
procd_set_param stdout 1
procd_set_param stderr 1
+ [ -x /sbin/ujail -a -e /etc/capabilities/dbus.json ] && {
+ procd_add_jail dbus
+ procd_set_param user dbus
+ procd_set_param group dbus
+ procd_set_param capabilities /etc/capabilities/dbus.json
+ }
procd_close_instance
}
--- /dev/null
+{
+ "bounding": [
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SETGID"
+ ],
+ "effective": [
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SETGID"
+ ],
+ "ambient": [
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SETGID"
+ ],
+ "permitted": [
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SETGID"
+ ],
+ "inheritable": [
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SETGID"
+ ]
+}
projects / feed / packages.git / commitdiff