From f238d6dd0996e4cd511522b5af25c80ddab30e9b Mon Sep 17 00:00:00 2001 From: John Audia Date: Tue, 22 Jul 2025 20:05:48 -0400 Subject: [PATCH] dbus: run as regular user rather than as root Running as a dedicated dbus users is better from both a security and an isolation perspective than running as root. Build system: x86/64 Build-tested: x86/64-glibc Run-tested: x86/64-glibc Signed-off-by: John Audia --- utils/dbus/Makefile | 3 +++ utils/dbus/files/dbus.init | 7 +++++++ utils/dbus/files/dbus.json | 27 +++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 utils/dbus/files/dbus.json diff --git a/utils/dbus/Makefile b/utils/dbus/Makefile index 3042119582..20a96cf446 100644 --- a/utils/dbus/Makefile +++ b/utils/dbus/Makefile @@ -33,6 +33,7 @@ define Package/dbus/Default CATEGORY:=Utilities TITLE:=Simple interprocess messaging system URL:=https://dbus.freedesktop.org/ + USERID:=dbus=91:dbus=91 endef define Package/dbus/Default/description @@ -146,6 +147,8 @@ define Package/dbus/install $(INSTALL_BIN) ./files/dbus.init $(1)/etc/init.d/dbus $(INSTALL_DIR) $(1)/usr/share/dbus-1 $(CP) $(PKG_INSTALL_DIR)/usr/share/dbus-1 $(1)/usr/share/ + $(INSTALL_DIR) $(1)/etc/capabilities + $(INSTALL_DATA) ./files/dbus.json $(1)/etc/capabilities endef define Package/dbus-utils/install diff --git a/utils/dbus/files/dbus.init b/utils/dbus/files/dbus.init index 949a38d162..ec2e97b619 100644 --- a/utils/dbus/files/dbus.init +++ b/utils/dbus/files/dbus.init @@ -14,6 +14,7 @@ PROG=/usr/bin/dbus-daemon start_service() { mkdir -m 0755 -p /var/lib/dbus mkdir -m 0755 -p /var/run/dbus + chown dbus:dbus /var/lib/dbus /var/run/dbus [ -x /usr/bin/dbus-uuidgen ] && /usr/bin/dbus-uuidgen --ensure @@ -24,6 +25,12 @@ start_service() { [ -n "$DEBUG" ] && procd_set_param env DBUS_VERBOSE=1 procd_set_param stdout 1 procd_set_param stderr 1 + [ -x /sbin/ujail -a -e /etc/capabilities/dbus.json ] && { + procd_add_jail dbus + procd_set_param user dbus + procd_set_param group dbus + procd_set_param capabilities /etc/capabilities/dbus.json + } procd_close_instance } diff --git a/utils/dbus/files/dbus.json b/utils/dbus/files/dbus.json new file mode 100644 index 0000000000..e8eb9f28b4 --- /dev/null +++ b/utils/dbus/files/dbus.json @@ -0,0 +1,27 @@ +{ + "bounding": [ + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SETGID" + ], + "effective": [ + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SETGID" + ], + "ambient": [ + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SETGID" + ], + "permitted": [ + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SETGID" + ], + "inheritable": [ + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SETGID" + ] +} -- 2.30.2