Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Secure the dbus service #357

Merged
merged 1 commit into from
Jul 18, 2024
Merged

fix: Secure the dbus service #357

merged 1 commit into from
Jul 18, 2024

Conversation

jeffshuai
Copy link
Contributor

Secure the dbus service

Log: Secure the dbus service

Task: https://pms.uniontech.com/task-view-355357.html

KT-lcz
KT-lcz reviewed Jul 16, 2024
View reviewed changes
deepin-system-monitor-plugin-popup/com.deepin.SystemMonitorPluginPopup.conf Outdated
@@ -4,8 +4,8 @@
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only root can own the service -->
<policy user="root">
<!-- Only dde-daemon can own the service -->
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deepin-daemon

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
IOWeight=200
User=dde-daemon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deepin-daemon

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
User=dde-daemon
ProtectSystem=strict
ProtectSystem=strict
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

重复了

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
ProtectSystem=strict
ProtectSystem=strict
CacheDirectory=dde-wallpaper-cache
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

应该不是这个cache路径吧

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
NoNewPrivileges=yes
# 传参可能需要/home
#ProtectHome=yes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

系统监视器传参需要home么

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
PrivateMounts=yes
# 传参可能需要/tmp
#PrivateTmp=yes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

系统监视器传参需要tmp么

deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service Outdated
[Install]
WantedBy=multi-user.target
Alias=dbus-org.deepin-SystemMonitorSystemServer.service
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dbus service没有使用这个Alias,那这个Alias就没有用处

deepin-system-monitor-system-server/misc/org.deepin.SystemMonitorSystemServer.conf Outdated
<!-- Only root can own the service -->
<policy user="root">
<!-- Only dde-daemon can own the service -->
<policy user="dde-daemon">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deepin-daemon

@jeffshuai
fix: Secure the dbus service
251dfcd 
 Secure the dbus service

Log: Secure the dbus service

Task: https://pms.uniontech.com/task-view-355357.html
@deepin-ci-robot
Copy link

deepin pr auto review

关键摘要:

  • debian/postinst脚本中,删除配置文件的操作被注释掉了,可能需要确认是否有必要保留该操作。
  • debian/rules脚本中,rm -rf ~/.config/deepin/deepin-system-monitor/config.conf操作被添加到了override_dh_auto_install中,需要确保这个操作不会影响其他用户的数据。
  • deepin-system-monitor-system-server/misc/deepin-system-monitor-system-server.service文件中,User=deepin-daemonProtectSystem=strict被添加,这有助于确保系统服务的安全性和稳定性。
  • deepin-system-monitor-system-server/misc/org.deepin.SystemMonitorSystemServer.conf文件中,权限策略被修改为<policy user="deepin-daemon">,这有助于确保只有deepin-daemon用户可以访问系统服务。

是否建议立即修改:

  • 是,特别是对于系统服务的安全性和稳定性,需要确保这些更改不会引入新的安全风险。同时,应该验证这些更改是否符合项目的安全和权限管理策略。

@myk1343
Copy link
Contributor

myk1343 commented Jul 17, 2024

[是否满足兼容性要求] Y
[是否满足commit提交规范] Y
[是否满足编码规范] Y
[Review结论] Pass
[Fail原因] N/A

@deepin-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jeffshuai, lzwind

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jeffshuai
Copy link
Contributor Author

/merge

@deepin-bot deepin-bot bot merged commit 360573c into linuxdeepin:develop/security2407 Jul 18, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KT-lcz KT-lcz KT-lcz left review comments

@lzwind lzwind lzwind approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jeffshuai @deepin-ci-robot @myk1343 @KT-lcz @lzwind