Skip to content

GDBus: Use namespace-friendly protocol for Linux message buses, and optionally other connections

Simon McVittie requested to merge wip/smcv/gdbus-cross-namespace into main

Obsoletes !1403 (closed).

  • gdbusauthmechanismexternal: Optionally send empty authorization identity

    When using a GDBus client in a non-trivial user namespace, the result of geteuid() can differ from the uid in the namespace where the server is running. This would result in connection attempts being rejected, because the identity that the client claims to have does not match the identity that the server derives from its credentials.

    RFC 4422 allows us to send an empty authorization identity, which means we want to authenticate as whatever identity the server can derive from our out-of-band credentials. In particular, this resolves the authentication failure when crossing between different Linux user namespaces.

    Because D-Bus does not have a way to represent an empty initial response as distinct from the absence of an initial response, we cannot use the initial-response optimization (RFC 4422 §4.3.a) in this case, and must fall back to waiting for the server to send a challenge.

    Unfortunately, GDBus versions older than !2826 (merged) did not implement the server side of this protocol correctly, and would respond to the missing initial response in a way that breaks the SASL state machine (expecting a response without sending a challenge), causing client and server to deadlock with each waiting for the other to respond. Until fixed versions of GDBus are widespread, we can't rely on having a server that can cope with this, so gate it behind a flag, which can be set for connections that are known to cross non-trivial namespace boundaries.

    Originally inspired by, and based on earlier work by Giuseppe Scrivano (in which the cross-namespace behaviour was unconditional, rather than gated by a flag).

    Co-authored-by: @giuseppe

  • gdbus: Allow cross-namespace connections to Linux session and system buses

    The dominant implementations of the well-known session and system message buses are the reference implementation from the dbus project (dbus-daemon) and the sd-bus-based reimplementation dbus-broker, both of which have correct implementations for EXTERNAL authentication with an unspecified authorization identity.

    This makes it reasonably safe to assume that the well-known message buses can cope with the unspecified authorization identity, even if we cannot make the same assumption for custom servers such as the ones used in ibus and gvfs (which might have been started with an older GLib version before upgrading GLib in-place).

Edited by Simon McVittie

Merge request reports