Do not use Unix abstract sockets for the accessibility bus
Original reporter: Tianon Gravi
Area: Platform component
Message
Hi! To preface my report, I want to be clear that I'm not sure this is actually something that can be exploited, but figured just in case, it should be discussed privately (I can't find any public reference to it already).
In the "at-spi2-core" project, "bus/accessibility.conf.in" (which is used to generate the default configuration for at least Debian, but probably many others), it's still using "unix:tmpdir=/tmp", even though most other Dbus services on my own hosts appear to be using unix sockets (typically via systemd socket activation, but I'm not sure how difficult that would be to integrate here).
As I'm sure you're aware, abstract sockets are much more annoying for a user to lock down access to than unix sockets (where we have filesystem permissions, mount namespaces, etc) or even IP sockets (where we have iptables, etc), which I believe is the motivating factor for other Dbus services having moved away from "tmpdir" and/or abstract sockets.
I've tested on my own machine modifying that configuration to "unix:dir=/tmp" instead, which seems to work successfully and results in "/tmp/dbus-XXXX" instead of an abstract socket, but I have to admit I'm not sure how to fully test that it's actually doing what it's supposed to be doing? (I don't actually understand what this service is doing on my system, so please forgive my ignorance. /o)
Is this something that would be considered a useful change for the project? Should I work on a proper patch either for an MR, or to be applied in an embargo? (depending on whether y'all feel it is a security issue)
Thanks for your time / consideration, and for your work on the GNOME project at large! <3