daemon: put private dbus sockets in their own directory rather than /tmp
Currently gdm places D-Bus server sockets for its OpenSession
and OpenReauthenticationChannel
APIs in /tmp
. I've been working on a system where we're running gnome-shell in a sandbox, and this behaviour makes it difficult to grant access to the sockets used for lock screen authentication.
This branch tries to address that by instead placing the sockets in /run/gdm/dbus
instead, so I can expose them to the sandbox without everything else in the system /tmp
directory. I believe this should also improve general security somewhat since it is a location regular users can't write to, and we can prevent users from enumerating the sockets by locking down the directory permission to 0711
.