On Tue, Mar 12, 2019 at 09:59:04AM +0100, Martin Steigerwald wrote:
> Didier Kryn - 12.03.19, 09:48:
> > Le 11/03/2019 à 19:33, KatolaZ a écrit :
> > > guys, anything using dbus will most probably (indirectly) access
> > > /var/lib/dbus/machine-id at some point in time, since that file is
> > > read when attempting to send a message via dbus.
> >
> > It's most certainly as simple as that.
> >
> > The question is why the hell do a web browser need to attach to
> > Dbus? This question is pure rant because I won't be satisfied by any
> > answer.
>
> For me it would be more important to see what DBUS, aka libdbus, is
> actually doing with the machine id.
>
> Thus I second the recommendation of KatolaZ to look at its source code.
>
Martin, AFAIU it's used just to make sure that a dbus call originates
from a process on the same machine of the receiver. But, please, audit
the code if you have time for that, and report any misbehaving. We
have also implemented a fix in dbus that re-generates
/var/lib/dbus/machine-id at each reboot (despite I think it's not
necessary).
I think that any leak in dbus would have been found by now (dbus has
been around for several years), but I might be proven wrong. The code
is free software, available and distributed under GNU GPL2+ (and also
under Academic Free License 2.1). Literally anybody can read it. But
please, let's stop shooting in the dark.
My2Cents
KatolaZ
--
[ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ]
[ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ]
[ @) http://kalos.mine.nu --- Devuan GNU + Linux User ]
[ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ]
[ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ]