#52257: dbus: enhancements to use privileged services via the system bus and run a session bus over a remote X11 connection --------------------------+------------------------ Reporter: rjvbertin@… | Owner: mcalhoun@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: dbus | --------------------------+------------------------ Comment (by rjvbertin@…): Re: privileged services: here's an extract from ${prefix}/share/doc/dbus /system-activation.txt : {{{ Details: Setuid applications have to used only when absolutely necessary. In this implementation I have an single executable, dbus-daemon-launch-helper, with the ownership root:dbus. This has the permissions 4750, i.e. u+rwx g+rx +setuid. It is located in /usr/libexec/ and thus is not designed to be invoked by a user directly. The helper must not be passed input that can be changed maliciously, and therefore passing a random path with user id is totally out of the question. In this implementation a similar idea as discussed with Davids' patch was taken, that to pass a single name argument to the helper. The service filename of "org.me.test.service" is then searched for in /usr/share/dbus-1/system-services or other specified directories. If applications want to be activated on the system _and_ session busses, then service files should be installed in both directories. A typical service file would look like: [D-BUS Service] Name=org.me.test Exec=/usr/sbin/dbus-test-server.py User=ftp This gives the user to switch to, and also the path of the executable. The service name must match that specified in the /etc/dbus-1/system.d conf file. Precautions taken: * Only the bus name is passed to the helper, and this is validated * We are super paranoid about the user that called us, and what permissions we have. * We clear all environment variables except for DBUS_VERBOSE which is used for debugging * Anything out of the ordinary causes the helper to abort. }}} -- Ticket URL: <https://trac.macports.org/ticket/52257#comment:11> MacPorts <https://www.macports.org/> Ports system for macOS