Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
sd-bus: allow cross-uid-namespace connections #11785
This PR allows
The first patch fixes a bug in the sd-bus server SASL implementation.
The second patch improves sd-bus to no longer send uids verbatim. Instead, we send an empty argument to
Note that this PR will very likely break live-updates. The problem is that sd-bus currently is broken since it sends incorrect SASL lines as server. So if you merge this PR and run
hmm, not sure i follow. i mean, the new behaviour is triggered by the client, no? i.e. old clients send the auth token along with the AUTH iiuc, and the server replies to that with a correct answer. new clients with your patch applied will send no auth token and instead expect a DATA reply, iiuc. hence, why not update the clients to that it can also deal with the missing DATA reply in that case? unless i am missing something this should make all clients work against all servers, no? because for old clients the server response on old and new is not differnt, and for new clients we can just make sure that both types of server responses (the old incorrect + the new correct) is accepted, no?
Yes, we can make clients accept the "incorrect" response, but that will mean we accept weird server behavior. To be clear, we would then allow a server to respond with one of these:
Problem is, a non-pipelining client would actually not respond with "DATA " to a line that says "OK", but the broken server does require the client to respond with "DATA ".
So yeah, we can make the client accept both without causing any bigger issues other than possibly being unable to catch issues in other implementations (which I agree is probably negligible).
referenced this pull request
Feb 21, 2019
This also seems to break something fundamental, as the failed test log shows:
These three "access denied" are from trying to stop three services (
This reproduces perfectly locally, so this is a real regression indeed.