>I've decided to take matters into my own hands. I am writing a new bus.
Why not reuse Binder which has been to deployed to billions of devices, being a core part of a serious OS, with many many more developers who understand it compared to dbus.
You would probably want to write your own service manager, but you can reuse hardened stuff that already exist.
Yes! Make something built on top of binder, and use something with orders of magnitude more users and developer resources behind it..
> hardened stuff that already exist.
To make it even more hardened(?), Google recently contributed and got merged a Rust implementation of binder for the Linux kernel (and they're apparently planning to eventually remove the old C implementation).
Which OS? I didn’t get many results for BSD binder. Then I figured maybe you were joking about the “serious” part, so I tried windows binder, iOS binder, didn’t see much…
Considering that any new implementation of Binder userspace would realistically also be incompatible with Android Binder, what would really be the gain here? You'd basically have yet another wire protocol that nobody else uses but now also depends on having a obscure Linux feature enabled.
Why would it need to be a new implementation? AOSP is like... right there, and it's not like libbinder has crazy dependencies.
> also depends on having a obscure Linux feature enabled
An extremely widely used and battle hardened Linux feature, though, with corporate sponsorship and active development. With the only real reason it's obscure on desktop linux at all is because upstream blocked it for a long time. If desktop linux embraced it, it certainly wouldn't be obscure anymore, now would it?
Most of binder is in outright Java. Libbinder_ndk is a subset that is unlikely to please anybody. The other libbinder (openbinder) is dead since 2006ish. I actually used this last one in certain commercial product.
> An extremely widely used and battle hardened Linux feature, though, with corporate sponsorship and active development.
Compared to _unix sockets_ , which is the other transport used by almost every other local IPC mechanism, and also what D-Bus uses, there is just no contest. Even Android uses unix sockets more than Binder.
None of binder is in Java. The Java binder code is just JNI bindings to the native implementation.
Things like permission manager are in Java, but that's not part of binder. It's just a service published on binder, and one that wouldn't translate to current desktop Linux anyway.
> Compared to _unix sockets_ , which is the other transport used by almost every other local IPC mechanism, and what both D-Bus, TFA's proposal, and literally any other reasonable desktop IPC proposal out there, there is just no contest.
unix sockets are not an equivalent, which is why protocols are bolted on top to turn it into dbus, etc...
EDIT:
> The other libbinder (openbinder) is dead since 2006ish.
The libbinder I meant is the one in AOSP hence why I said "AOSP is right there":
This libbinder is still way too Java-centric. It can be used from outside, and even slightly reminds me of openbinder (e.g. sp<> https://cs.android.com/android/platform/superproject/main/+/... ) but it doesn't really change the picture much. You have something which smells Java from a mile, and has a lot of other Android-isms to boot, so still likely requires to reinvent a lot of the wheel to actually use it for most desktop programs.
Even the use of C++ is likely to frown many people. (Not me).
That is a java version of a class from libbinder. Having Java and native versions of classes is a common pattern for things meant to be used from both.
The C++ origin of Binder is annoying, but unlike original Binder[1] easily workable around especially given the exact format of messages is left up for implementation to decide outside few standard bits
[1] BeOS, the docs still match what is in Android :D
Not widely known but the original Binder, OpenBinder, was not even for Linux or Android It was developed for BeOS.
OpenBinder was one of the few pieces of code which was open sourced in Be Inc’s dying days just before it was acquired by Palm.
Many of the principal Be developers who worked on OpenBinder, Dianne Hackborn, Jean-Baptiste Queru, et al then moved from Palm to Danger, which was developing Android and which was later acquired by Google.
D-Bus is over 20 years old so a reboot is in order. All this guy's gripes are not legitimate, but many are. However, upgrading desktop infrastructure is just as much about influence (clout) and "social" excellence as it is about technical exellence. A new ipc mechanism that is not backed by the major players has no chance.
I'd argue vaxry _is_ a major player, what with the rise of omarchy.org and r/unixporn, popularizing hyprland enough for him to have enough momentum to publish standards for this new era of TWM linux desktop.
God I loved kparts, but wasn't that more the idea that everything should be embeddable?
> KPart technology is used in kde to reuse GUI components ... By using kparts in applications developers can spend less time implementing text editor or command line features, for example and just use a katepart or a konsolepart instead.
Yes it is, but since "KDE 5" I've seen less of it. Besides the obvious example of Konqueror another great example of it was reKonq, which used Akregator, Okular and Kget to handle RSS and PDFs respectively (all within the reKonq window).
Just from the top of my head that I've noticed as a user: several apps, such as Dolphin or Yakuake, use konsolepart; KWrite uses katepart, and Ark uses various parts in its file preview.
The problem with dbus is also that all these nice browser extensions that integrate websites with gnome/kde talk over dbus. These dbus APIs had several DOS vulnerabilities, some of which could be triggered by visiting any website. It is unacceptable that my desktop environment crashes just because something floods the dbus API, even moreso if it can be triggered by visiting a website.
So if you are a security researcher, dbus is a very worthwhile entry point if you want to improve some open source software :-)
I'm guessing the poster meant the USB and Bluetooth browser protocols (which I still find insane how anyone thought those were a good idea, but it's literally the only way to configure some keyboards today).
> Ever seen kwallet or gnome-keyring? Yeah, these things. These are supposed to be "secret storage" for things like signing keys, passwords, etc. They can be protected by a password, which means they are secure... right? [...] any app on the bus can read all secrets in the store if the store is unlocked.
Well, TIL. Looks like the default GUI for that is `seahorse`, so let's see what I've got on a relatively fresh installation... Looks like mostly Chromium stuff where there's a key that unlocks something more application-specific (e.g. for Discord) and an access token for my JetBrains account.
So no plaintext passwords per se, but now I wonder what a malicious app might uncover if it pursued the local Chromium stuff.
Where do you think those secrets are going to be stored otherwise and how are you planning to authenticate to them?
If you're not entering a password at some point, then they're in memory and available to all anyway. If no system prompts or notifies you access is happening, then it's irrelevant what software machinations might be governing this.
On platforms like Android, iOS, and macOS, secrets are easily stored encrypted with no access to the key unless you exploit the kernel. On Windows, a similar feature is opt-in, but compatibility makes it a little less reliable.
iOS and macOS combine sandboxing with their Secure Element. Android uses TEE or a secure element-like piece of hardware. Windows uses a hypervisor + the (f)TPM.
Nothing Linux can't do, it's basically glueing together a small early boot KVM VM + TPM + secure boot together with an API. Setting up your own secure boot keys to make it run relatively seamless is a pain on many consumer devices, though.
All of that is about protecting secrets at rest on the device. It is of no protection at all if an application simply asks the secure-whatever for them and then proceeds to email them all to someone else.
The secrets in the keyring of my secure boot protected, full disk encrypted laptop are exactly as secure until I boot it up and unlock the keyring for Dbus.
Keychain access can be limited with ACLs, enforced with code signing signatures as well on iOS and more so on macOS where the “keychain” can still be the older file based type.
There are secrets I cannot export from my system keychain without disabling SIP on my Mac.
> It is of no protection at all if an application simply asks the secure-whatever for them and then proceeds to email them all to someone else.
On Windows the application can specify some extra entropy/salt, and the secret is not decryptable without it[1]. So it's a tad more difficult to exfiltrate than simply asking for it.
What are people not getting about this? The point of a shared keyring is to enable applications to share secrets. My git tokens are shared between git, my IDE, various scripts etc.
This discussion highlights the exact issue: people don't even understand what problem or use case they are actually solving.
When Important Banking App stores a secret to my "keyring", I would never have expected that the "secret" would be trivially available to all other programs that run.
Imagine if it worked that way for browsers, and every website with a saved-password got to see all the other saved passwords...
Why is your banking app entering a secret to your keyring? That would be like writing your safe code in a paper and let it hang onto a physical keyring.
The problem isn't what's on the keyring, the (reported) problem is that it can be arbitrarily inspected in full by any program. Doors should not be able to enumerate and copy all the keys that aren't meant for them.
> Why is your banking app entering a secret to your keyring?
What is any "keyring" for if not to carry things you keep secret and exclusive?
The problem here is leakage between purposes. I don't care if the banking app is just storing my logon name for convenience, even that should never be scrapeable by Linux BonziBuddy. [0]
> That would be like writing your safe code in a paper and let it hang onto a physical keyring.
Why even put any regular keys onto such a horribly flawed keyring either? There's no real difference between (A) seeing combination-lock numbers versus (B) seeing the shape of a key that is trivial to reconstruct. [1]
Unix already have a security model for this: User and Groups. You could create a new user called `banking`. And used that exclusively for any banking activities. Especially with the X11 model where you just have to type `startx` and not have to launch a bazillion software to keep a DE happy.
Have you actually tried that approach, with an individual user for all your programs?
In fact, I was attempting that kind of thing just this week, namely trying to run Spotify (distributed as a snap) as separate user in a visible window. Maybe it's possible, but it's certainly not trivial or turnkey.
> However, the best thing is this: any app on the bus can read all secrets in the store if the store is unlocked
>> The GNOME project disagrees with this vulnerability report because, according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.
I'd like to point out for anyone on the fence that yes, Gnome is run by clowns in full sized clown shoes.
This is especially amazing given how much of wayland friction is in the name of security ("Why would we ever standardise a way to intercept and send keystrokes? it's not secure!")
I always thought as the secret for things that should not be saved non-encrypted on disk, not for things that should be kept hidden from other applications. And if that is your threat model, you should look into virtual machines.
Program running as user can read data owned by user. If this is a vulnerability then the entire linux userspace is compromised. Can you believe that applications I run can execute gpg2 and steal all my secrets?
The dbus process is run by and owned by your user. The only people that can access it is you and root. There is a system-wide bus but your secret manager isn't using that one.
It’s almost as if the user/group/everyone permission model developed for time sharing mainframes isn’t sufficient anymore for absolutely everything anymore.
Fortunately today with AI everyone CAN actually audit all the code for all the software running on their machine themselves by sending it to a black box cloud service, thereby running only software they KNOW they can trust! /s
I wonder if the design of D-Bus has anything to do with a principle I notice a lot, where the most meritorious solution never rises to the top for any given problem, but rather one apparently chosen by absolute randomness. For example, I wonder how many repos on github have legitimately created a 100% better framework than React, but the author simply can't get the word out for whatever reason, so the project remains accidentally anonymous. Maybe D-Bus has something similar?
> the most meritorious solution never rises to the top for any given problem, but rather one apparently chosen by absolute randomness.
Respectfully, i think that mostly happens when people reviewing the solution space don't understand the problem fully. Often the requirements differ from what people think they are, and as a result the winner seems random because they don't understand the actual requirements.
D-Bus came to prominence because of its association with GNOME, which has in turn has remained relevant mostly because of its association with Red Hat.
Most of the time, there is usually no "most meritorious", just something that is elsewhere on the "trade-off space" than the person speaking would like. I usually dismiss everybody who so snidely and arrogantly dismisses results of other people's work(e.g. the OP article), like there was some _obviously_ correct solution that the people who worked on the widely accepted solution were too stupid or malicious to choose. They could not possibly have had other priorities or doing their best to get something working acceptably in a complex ecosystem with no central control, no! They are just dumber than you (or just plain malicious).
The world is filled with "good enough" solutions. If it has 80% of the functionally needed, it will be good enough for most use cases.
> the most meritorious solution never rises to the top
You know why? Because it was the best solution at the time that covered everything they needed. You can only complain about it because the initial problem was solved and people were able to move on to something else.
Does it work for what we need it to do? Yes? Ok. Now that we have settled this problem, we can continue on developing.
Meritocracy is only relevant to someone who has ideas but no desire or ability to actually structure the idea in such a way that would work in the world we find ourselves in today.
> Maybe D-Bus has something similar?
So you just commented here to say nothing but "dbus sucks because it isn't the best. I wonder if there are better options?".
iirc it was developed as freedesktop project in order to create standard desktop bus to be used by everybody, as back in a day kde had it's own bus and gnome had another one.
> The GNOME project disagrees with this vulnerability report because, according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.
> Applications sandboxed via Flatpak only have filtered access to the session bus.
While I see why they think this is a bad answer it really reminds me of this: https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31... . Also they did not cite the last statement in their quote and made screenshots, so the quotes are not copyable. Who the hell does that?
I am not a fan of Wayland either, I rather want to be able to run programs from different users against the same application server. This works just fine on Xorg.
> D-Bus was introduced by GNOME folks about 20 years ago. For software made only 20 years ago, as opposed to 40 like X, it's surprisingly almost equally as bad.
Can't you guys stop reinventing the wheel every other day? I hate D-Bus like everyone else, even though at least it did bring project Utopia and all such crap. But even if I think it sucks I stay with it for the simple reason that the more alternatives you create the more you annoy other users WAY MORE than any benefit you bring them. D-Bus has been used everywhere from LG TVs to automotives, so at least it f*cking works.
Does it miss a spec? Write one.
Do you really want your secretsd or whatever to only be able to reply to whomever stored the secret? Make clients store a cookie or something and only reply if they prove ownership of it. But I have to ask : what the hell is your threat model here? The attacker is just going to ptrace firefox and read all the secrets anyway. Or read its files in $XDG_CONFIG_DIR. You are just moving around who has the ultimate responsibility, and that looks like security theater. In addition, I _want_ other programs to be able to read secrets (e.g. keyring administrators, .netrc-style shared secrets, etc.)
Do you hate a{sv}? If you propose JSON as alternative, you are going to make me laugh.
> Make clients store a cookie or something and only reply if they prove ownership of it
Unix domain socket authentication is stronger and doesn't require storing cookies on the client side.
> what the hell is your threat model here? The attacker is just going to ptrace firefox and read all the secrets anyway.
Which is why you can (and people do, e.g. flatpak) run applications where ptrace or global filesystem access is blocked. Which is why portals exist and why there shouldn't be a "get all secrets via dbus" escape hatch.
> I _want_ other programs to be able to read secrets (e.g. keyring administrators, .netrc-style shared secrets, etc.)
Then don't use it? Secure defaults matter for most users.
> Do you hate a{sv}? If you propose JSON as alternative, you are going to make me laugh.
> Unix domain socket authentication is stronger and doesn't require storing cookies on the client side.
And pointless here, since everything runs under the same uid. You need to authenticate this is the same browser that stored this secret, not that this is the same uid (useless), or the same pid, or any other concept that unix domain socket authentication understands.
> Which is why you can (and people do, e.g. flatpak) run applications where ptrace or global filesystem access is blocked. Which is why portals exist and why there shouldn't be a "get all secrets via dbus" escape hatch.
In which case they do not connect to the same D-Bus "bus", and the problem is again non-existent. See how flatpak sandoxing does it.
> Then don't use it? Secure defaults matter for most users.
Right until they notice they can no longer view the keyring contents, or any other stupid limitation most desktop users couldn't care about.
In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
Much better to have a million non-extendable protocols competing with each other. To this day there are two protocols (at least) for exposing the address of the DbusMenu service of a surface, one for gnome-shell and one for kwin. So much for the uglyness of X atoms. And this has nothing really to do with the design of the IPC mechanism itself...
Since docker, we know how to do pretty good isolation (some of the tech is shared by Flatpak etc. sandboxes) - just put stuff into different namespaces with some auth api allowing processes to 'mount' the necessary stuff.
The closer you stick to the kernel security model, the more likely your app will be safe and performant, and the less likely other devs will reject it in favor of their hand rolled stuff.
> In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
If I store my secrets in KWallet, which purports to _storage for secrets_, I absolutely do not expect every application on the desktop to have access to those secrets, whether I want to share them or not.
I can't believe you're suggesting this is sanely defensible.
KWallet has never provided any security guarantee, so I dunno what is your surprise here. Its entire premise is centralization and sharing (i.e. not having to type each individual password over and over in each program).
> And pointless here, since everything runs under the same uid. You need to authenticate this is the same browser that stored this secret, not that this is the same uid (useless), or the same pid, or any other concept that unix domain socket authentication understands.
I disagree. With UNIX domain sockets it is absolutely possible to determine the PID of the process that you are talking to and use pidfd to validate where it is coming from. Would be entirely possible to use this for policy.
> In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
And how exactly does the app container service store something encrypted securely on disk? That's literally the point of a secrets service on a modern desktop. It usually gets keymatter in the form of a user password carried to it from PAM, in order to allow on-disk encryption without needing separate keyring passwords. (And yeah, sure, this could use TPM or something else to avoid the passwords, but the point is literally no different, it shouldn't be each application's job individually to manage their own way of getting secure storage, that's a recipe for data loss and confusion.)
> Much better to have a million non-extendable protocols competing with each other. To this day there are two protocols (at least) for exposing the address of the DbusMenu service of a surface, one for gnome-shell and one for kwin. So much for the uglyness of X atoms. And this has nothing really to do with the design of the IPC mechanism itself...
That's a problem that occurs because the protocols have multiple distinct implementations. Most of the dbus services don't have to deal with that problem at all. (And the ones that do, tend to have problems like this. There are plenty of weird incompatibilities with different XDG desktop portal implementations.)
I'm pretty sure the point of bringing up xdg-shell is because the new bus is inspired by the Wayland protocol. For all of the incessant bitching about Wayland online, Wayland protocols are only about 1000x nicer to use than dbus. You can actually do decent code generation for it without having to have like 5 competing ways to extend the XML to add basic things like struct member annotations (and then have things like Qt's own DBus code generator unable to actually handle any real DBus service definitions. Try throwing the systemd one at it, doesn't fucking work. The code doesn't even compile.)
> determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.
The pidfd_open() man page doesn't list many things that can be done with a pidfd. What sort of validation do you have in mind?
I would love to have a reasonably snoop-proof secret storage service whose security model works with normal programs (as opposed to requiring Flatpaks or the like).
> With UNIX domain sockets it is absolutely possible to determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.
Validate what? You're just moving the responsibility to whatever answer you give here. If you say "validate the exec name is firefox-bin" then the next person who comes in will say "I hate $your_new_fangled_ipc, you can make it dump all your secrets by renaming your exec to firefox-bin". (This is just an example).
> And how exactly does the app container service store something encrypted securely on disk? That's literally the point of a secrets service on a modern desktop.
The more I think of it, the less sense this makes. If you already have a system where applications cannot read each other's data, what is the point of secret service? What is the security advantage?
If you want to encrypt with TPM, fingerprint, or anything else, that's encryption, which is separate from storage (you can encrypt the password with say a PCR but the application gets to store the encrypted password in any way they want).
Password encryption in the desktop keyrings are for the situation for when every application can read each other's data files easily (again, as in the desktop). In which case, it may make sense to use encryption so that such data is not (trivially) accessible from any other application (otherwise https://developer.pidgin.im/wiki/PlainTextPasswords applies) .
If your applications are already running sandboxed, a keyring sounds to me like useless complexity? Just make each application store its data into its sandbox. What's the threat vector here, that super-user-that-can-escape-sandbox can read into the sandboxes and extract the password?
> You can actually do decent code generation for it without having to have like 5 competing ways to extend the XML to add basic things like struct member annotations (and then have things like Qt's own DBus code generator unable to actually handle any real DBus service definitions. Try throwing the systemd one at it, doesn't fucking work. The code doesn't even compile.)
Yes sure, another problem resulting from the lack of standarization. But my point was -- standarize (write a spec), instead of adding more to the problem by creating yet another competing standard which will obviously NOT solve the problem of lack of standarization.
The funny/sad detail is that the 80s (at the latest) already solved the problem. Have a look as XDR and Sun RPC. It has both strongly typed APIs and versioning built in. You would have to come up with your authentication mechanism for applications e.g. have them send a cookie file (descriptor).
This is the first time I hear that anyone hates D-Bus. I always saw it as a global API Bus that Apps can register to and which enables some sort of interoperability and automation. After all it can even be used from Bash. What is bad about this?
The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything. That's not the fault of D-Bus.
Also I'm puzzled that Polkit hasn't been mentioned even once.
> The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything.
The world is moving towards sandboxed applications (through flatpak and friends) more and more. As per the OP, this is one of the things holding sandboxing back.
> The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything. That's not the fault of D-Bus.
Those secret stores (gnome-keyring/kwallet) store the secrets encrypted on disk, so every application can read the encrypted secrets but only the secret store has the encryption key to decrypt them. This is held in memory, not on disk.
I am puzzled by this comment - hasn't been an explicit goal for the Linux desktop (pushed esp by the Gnome/Fedora folks) to have applications run in a sandbox? That's literally what stuff like Flatpak xdg-desktop-portal and Wayland isolation are built around.
And maybe its time for a reinvention anyway? IPC and efficient and portable formats are very mature nowadays, with protobuf, flatbuffers etc. and the general model of the internet is based around service location, and stuff talking to each other.
I'm kida curious why they didn't go with Unix Sockets in the first place, with named pipes in memory carrying the message transport.
> hasn't been an explicit goal for the Linux desktop (pushed esp by the Gnome/Fedora folks) to have applications run in a sandbox?
Yes, and the article's author forgot to tell you that their rant doesn't apply to applications running in a sandbox, as their D-Bus access is filtered.
I've never had much luck with it either. A lot of the same pain points as the author.
As for it being used everywhere, sure, we had some bad SOAP stuff being used everywhere at one time, but that's not a good thing...
Regarding secrets etc.. on the one hand, yeah it's not much to worry about people with access to your machine reading stuff on your machine, buut*, it's kinda dumb to have stuff encrypted and left around for a public unsecured protocol. The solution would be, for apps that need security, don't use dbus.
If the API was less loosey goosey (self documentating, not so open ended, less awkward), I agree it's fine for applications at the same level of trust to all access the same thing.
The problem is more random scripts off the internet using browser apis to read stuff out of local storage containers. Forcing local containers to explicitly allow such access, and yes, using a non-dbus protocol, would be a preferred method, while not requiring overly complex authentication schemes locally...
Otherwise the main change I would have made would be to explicitly allow applications to access the bus, vs just a random app having access by virtue of running in memory...
I may be naive, but why not adopt the browsers api development model. 90% shared core apis, experimental ones, for a few years it seems that every group can work on its code without breaking things for user much while new ideas coming regularly.
Perhaps the SecretManager deserves some extra attention, but I concur. We worked long enough on this, please dont split whats left of the linux desktop...
You may be joking but I think seriously that may be a decent idea. The universal RPC/automation mechanism which everybody implements-whatever its warts may be-is superior to a better-designed one which few actually end up supporting. You don’t need an LLM to call MCP tools, there’s nothing stopping you from calling MCP tools from any programming language.
Problem is, varlink has been created to alleviate the pain while what I'm looking for here is even more suffering. Perhaps add AI and MCP into the mix. At kernel level with hard dependency on sudo-rs. And local RPC should be blockchain-based.
A gold standard behaviour for when you want to replace a disfunctional tool/system and will require buy-in from a wide community, is to behave like Charlie Marsh did with ruff and uv.
He didn't barge in guns blazing proclaiming "pip is a disgrace" and "it's a fuckin joke". He wrote a tool that was much better and encourage others to try it. Within a year or so, it snowballed into an unstoppable change.
This project currently has a bunch of C++ files, no docs, no tests, no roadmap on how it might replace d-bus, nothing. And as another commenter pointed out, starting a new system service in 2025, yelling about security, and doing this in an unsafe language doesn't inspire confidence.
Lennart Poettering, Theo de Raadt and Linus Torvalds may get away with talking like this, but if you seriosly want to bring a wide community on board (without which the entire thing is a non-starter), look to Charlie instead.
Oh, and also, if you think D-Bus is bad, consider yourself lucky you didn't need to use the thing it replaced - CORBA.
> This project currently has a bunch of C++ files, no docs, no tests
I think the more important thing is the protocol itself, rather than the specific implementation. As the author notes the current D-bus standards are substandard at best.
I think one of the point from your parent comment is that something that works for people is a powerful way of making things happen, much more powerful than rants or theory or protocols. I also noticed that with cryptography algorithms/protocol for example: design the most amazing algorithm - no one is going to use it ever if there is no great reference implementation people can use.
Similarly I wish open-source devs who wish to extend and improve existing tech take a page out of Microsoft and do their Embrace, Extend, Extinguish tactic. Like: "Here is my new D-Bus implementation, it has a couple of extra bells and whistles, which I need for my project, and is faster. Oh I have added more security, you don't have to use it right now, but some services will require it. ... Security is now mandatory. ... The protocol is now called Wire and if you need D-Bus, you can run this legacy translation layer. ... The legacy translation layer is no longer installed by default, but will be maintained for those who need it. ... It has been 30 years since anybody has needed D-Bus, we are no longer maintaining the translation layer."
Which is kind of what OP is doing, but less directly inflammatory. I wish him all the luck regardless.
I was under the impression that the security concerns there are handled by AppArmor and SELinux (though maybe not granular access control to secrets). Which all desktop Linux installs should be using one or the other, because there's much more than just D-Bus that can be a security risk.
Raises the obvious question of why not using the wayland protocol (on another socket, not on the compositor socket). It has mature implementations in many languages, an IDL with compilers, and every GUI application is already going to link to libwayland anyway.
I think this is missing the main problem with security on a Linux Desktop, the user. All an attacker has to do is to convince the user to run InstallSteamWithAllGamesUnlockedForFree.sh You know, the AnnaKurnikovaSexTape.exe of the windows world.
This is an education problem and no amount of tech is going to fix it.
Even if dbus didn't have this problem, this is my hardware, I'll do what I want! That's the whole point of Linux.
That's not the problem. The real problem is that if I convince you to run my script, it's going to be quite easy to convince you to give me extra permissions, so I can get to your data. It really irks me when things like Cargo are doing exactly that, make me run a sh script. Cargo and the likes, are making running sh scripts way too common.
I'm trying a distro with Connman instead of NetworkMangler. It's the same deal. I could not for the life of me get it to connect or even see my cellphone's wifi tethering hotspot.
I shutdown the connman service and removed it from the auto startup sequence. I manually edited frickin' wpa_supplicant.conf to put my cellphone network there. Worked first time and every time thereafter.
The founding document of GNOME is called "Let's Make Unix Not Suck" by which the authors (primarily Miguel de Icaza) meant "Let's Make Unix Almost Exactly Like Windows". D-Bus is just the latest in a series of attempts to bring Microsoft's janky, kind of an object model to the realm of Unix's small do-one-thing C programs plumbed together with file descriptors, pipes, and network sockets. Except somehow, they added even more problems on top of the ones COM already had!
At least when Steve Jobs tried to retrofit Smalltalk style OOP onto the Unix model, he had the foresight to bring much of Smalltalk (in the form of Objective-C) along with.
X is deprecated. Its maintainers do not want to maintain it. They want you to use Wayland instead.
The major DEs have removed their X code paths, or will in the next year. The toolkits will follow suit. X is a dead end for new and non-legacy software.
Supported by whom? Xorg, the server, no longer maintained. Also, OpenBSD users already a tiny fraction of users...if every single OpenBSD desktop switches to Linux and Wayland, not a single metric will change significantly.
Are there hard numbers to back up the 80% thing? I don't know one way or the other, I'm just skeptical because I still have applications which don't work correctly under Wayland (Discord), and if I have such problems it wouldn't surprise me if others do too.
I'm not sure why you would need to have "heard of that". If I was getting Linux to work on my computer as many people have, and got xeyes or xterm to work, I would expect other X11 apps to work as well.
It is almost gone for me too, except that I can't adjust brightness on my laptop with Wayland. I can with X11. It's a long story but that's the TL;DR of it. So until all of that almost goes away, it's full X11 at least for some people like me.
I was surprised to learn that Wayland still doesn't offer control of keyboard LEDs like Scroll Lock, so unprivileged programs that use those LEDs cannot be ported to Wayland.
Even if I didn't depend on such a program myself, I would find it strange that Wayland gives the compositor responsibility for only part of the keyboard: its keys, but not its indicator lights.
Are you really thinking of dbus here? It's not in the normal binary loading path. And afterwards, it's not any different from other libraries which may or may not stop the app from functioning for many reasons.
>Back when I was writing xdg-desktop-portal-hyprland, I had to use a few dbus protocols (xdg portals run on dbus) to implement some of the communication. If we go to the portal documentation, we can find the protocols.
>[...]
>None of the apps, I repeat, fucking none followed the spec. [...]
>Fun fact: THIS IS STILL THE CASE! The spec advertises a "restore_token" string prop on SelectSources and Start, where no app does this and uses "restore_data" in "options".
Wrong. xdg-desktop-portal has a client API and a compositor API. In the client API the property is called restore_token [1]. In the compositor API the property is called restore_data [2]. Clients do not talk directly to the compositor, they talk to the xdg-desktop-portal application which then talks to the compositor. It is not surprising the the properties would not be called the same.
In the documentation the APIs for app developers and desktop developers are clearly separated on the left hand side [3]. Not only does this have nothing to do with DBus (it would apply to every API where a middleware is used to translate messages), it also shows that the author did not do his due dilligence.
> It is not surprising the the properties would not be called the same.
It is a bit surprising that xdg-desktop-portal has two very similar APIs that differ in non-obvious and seemingly-arbitrary ways. I was also a bit confused about how the two APIs correspond (or don’t) when I first read their documentation.
I do not like D-Bus either, and I do not like JSON either. Some of the problems are the ones mentioned there, and it has many other problems as well (one of these is that its use of Unicode can cause problems, but there is a lot more problems than just that). I do not agree with the solutions mentioned there either, although they do make some improvements, there are also some problems.
A better way would be a different operating system design, although without that, you can still improve it on Linux. I think putting secrets in the message bus is not really the way to do sandboxing properly, and I think there should not be a global message bus (it should be specific to a program; if the program is properly sandboxed it can be limited what it can access, and possibly they can be declared by the use of environment variables, although).
There are also problems with the existing sandboxing systems; e.g. some do not work properly with character sets and might not support such things as: popen, command-line arguments of the program to restrict which files can be read/written, etc.
For security for programs running on the same computer communicating with each other while they are running, cryptographic algorithms are probaly not the way to do it; the operating system should handle the security to prevent programs from seeing and/or tampering with something that it is not supposed to do, so that the communication between programs is prevented unless it is configured to allow it.
For the data format, I might use DER (or SDER for the fields that are not required to be in canonical form, since canonical form does not matter for all fields but for some it might matter).
(The implementation would prevent messages from being sent to or received from whoever it is not supposed to be allowed to do, by checking the permissions and/or by just blocking access, forwarding the messages to proxies that might modify and/or log them, etc; such things can potentially make the system more versatile.)
> This means that when "/usr/bin/firefox" sets a "passwords:superwebsite.com = animebooba", an app called "~/Downloads/totally_legit.sh" can not see ...
It will be interesting to see how it treats symlinks in this case. Or specifically, will this idea break completely for nixos or not.
I never took d-bus seriously because they said that when dbus was updated you could not just restart the dbus daemon, you were required to hard reboot.
> any app on the bus can read all secrets in the store if the store is unlocked
Holy shit. I knew conceptually that this was the case but never really took the time to consider the implications.
Pretty much whenever you unlock your keyring all your secrets are accessible by any software that can connect to the bus... How is this acceptable? Are we just supposed to run everything as Flatpak?
Funnily enough, my work macOS keychain maimed itself in such a way that I need to recreate it every time I install an OS update. Every time I recreate it, the OS spends a few minutes in a state where every application that needs access to the secrets store requests access through the keychain's password. Incredibly secure!
Turns out, that's every application, every few minutes, many of them multiple times. Applications like having access to things like refresh tokens so they can download your email, or discover passwords for offering autofill for a website.
I'd welcome many improvements to the Linux status quo, but applications not needing to ask before accessing the bus is the only reason it's usable in the first place.
The reality is no one wants to be prompted everytime for a password. They want it to auto fill.
In complaining about this people are setting the boundary at the wrong place, and in proposing solutions assuming user behavior which doesn't exist (they will absolutely click "yes trust random application I'm busy move along now please").
I do not want to be prompted. I do perhaps want grades of secret access but even then thats asking a lot - do you want my SSH keys? Well yeah I probably want to give them to you some app which is automating things over SSH. It's 5 more versions before you get updates to ship them all to Russia or wherever after an author hand over.
Could this bus offer a dbus-compatibility 'firewall/translator' d-bus socket per each app (provided they use the d-bus environment variables correctly)? That might speed adoption if it is able to be a drop-in default, instead of needing to run 2 busses.
So everyone has wanted "year of the Linux desktop" for a while. This year, since Microsoft has decided to call open season on their own feet and Valve has taken a break from swimming in their money pool to make sure absolutely any piece of software ever written can run on Linux, it looks like this might actually be happening. I am seeing a massive influx of new users, driven by distros like Cachy, Nobara, Bazzite. A lot of them don't have previous Linux experience and are generally not the most technically savvy users.
This absolutely terrifies me. Linux desktop security is, to put it politely, nonexistant. And the culture that goes with Linux desktop users just makes things worse, there's still a lot of BOFH gatekeeping going on, laughing at the new users when they inevitably mess something up and worst of all, completely refusing to admit that the Linux desktop has security issues. Whenever a new user asks what antivirus they should run, they are usually met with derision and ridicule, because the (oldschool) Linux users genuinely think their computers are somehow immune and can never be hacked.
The first cybercriminals to put some development effort into Linux ransomware/stealers are going to wreak havoc and a lot of people are going to be in for a rude awakening. The D-Bus issue with secrets in the article is just one of many many many ways in which Linux desktops are insecure by design.
There are of course distros out there that take security seriously, but we are not really seeing new users migrating to Qubes en masse.
Edit: not calling out the distros above in particular, all 3 are doing very good work and are not really any worse in security than most other distros.
Any windows program you download can steal all your secrets too. The only operating systems that isolate programs by default are on phones (and chromebooks).
Unless you give it admin permissions, it really can't (admittedly, a lot of Windows users do run their computers with their admin account by default). Also, Windows users generally have at least some kind of anti-malware running, which, while not perfect, does work well against most spray-and-pray malware out there.
Edit: did some research, I must correct myself, the stealers have indeed evolved so admin permissions are not required for most credentials on Windows either.
However, should "strictly speaking, not really worse than Windows" be the security target we aim for in Linux?
All your data is owned by your user. If you run a program, it will have access to all your data. Admin or not is irrelevant here.
The keyring is pretty open on Windows, if you know the key you can request anything even if stored by another app. There is a way to lock a secret to a specific app but it's not properly enforced in most versions of Windows.
The only user data that would require admin privilege is that of sandboxed Windows Store applications where even the owner can't access it directly from outside the program and you have to be admin.
> An important part of adoption will probably be bindings to other languages. The libraries are all in C++, but since they aren't very big (by design), making Rust / Go / Python bindings shouldn't be hard for someone experienced with those languages.
If the the protocol is that clean, make a formal specification for it that can be used to generate client code.
A binding to C++ is definitely not what I want in my Go program.
While there is some valid criticism to be held against D-Bus and its implementations (there's more than one in common use), this article never goes there. It appears to be just an incoherent rambling of someone with poor understanding of how systems work together.
And yes the default and in particular the glib implementations are horrible.
The sdbus implementation is way cleaner.
The claims about "everybody can call everything" are just wrong. There are bus policies and if you care you define them. That being said - the desktop people don't care. But that's not a problem of the dbus design.
Look at CORBA or DCOM. You don't really want that either.
As I understand it, systemctl uses D-Bus to send commands to systemd. I have read that systemd implemented their own D-Bus which is faster than stand-alone D-Bus.
So this gives me pause:
'Ever seen kwallet or gnome-keyring? Yeah, these things. These are supposed to be "secret storage" for things like signing keys, passwords, etc. They can be protected by a password, which means they are secure... right? No. No, they aren't. These secrets may be encrypted on disk, which technically prevents them from being stolen if your laptop is stolen. If you just cringed at that because disk encryption has been a thing for 20 years now or so, you're not alone. However, the best thing is this: any app on the bus can read all secrets in the store if the store is unlocked. No, this is not a #%&@ing joke. Once you input that password, any app can just read all of them without you noticing."
So, how does systemd ensure that D-Bus commands cannot originate from an unprivileged account?
Does systemd's D-Bus implementation use a different security architecture than stand-alone D-Bus?
I admit that I don't know anything about these mechanisms.
systemd accepts commands from the system bus (i.e. the dbus instance running as uid 0). User desktops have their own session bus, which runs as the user.
Put OS calls on the bus. IMHO we need to add permissions to most user-space APIs so apps don't need to be sandboxed in a VM for security. Is this what SE Linux is? But I sometimes want permission to be granted by the user. For example, I don't want programs to be able to access files unless the user specifies the file - this might be through direct interaction with a GUI, or if we're really smart/tricky enabled if a filename comes on the command line typed by the user. I hope this makes sense, a way to gate system access via normal user input. Is this a reasonable possibility, or am I dreaming too big?
> D-Bus was introduced by GNOME folks about 20 years ago. For software made only 20 years ago, as opposed to 40 like X, it's surprisingly almost equally as bad.
That's not a surprise. The author of systemd, for instance, is working for Microsoft. Suddenly all those changes to the Linux ecosystem make a lot of sense. It became a corporate commodity, from A to Z. And when that is your objective, it kind of makes sense to have a unified system, even if it is crap.
I'm vocal critic of microsoft but systemd/wayland was one of the best things to happen to linux. If you can improve upon it, then feel free to implement a better solution.
A solution to what? Aside from details of the implementation, one can also disagree with the framing of the problem and scope of the solution. Sure, we're free to implement an alternative solution for doing DNS resolution and IPC and logging and time synchronization and job scheduling and service monitoring and ... but should there be a single solution to all of these things at once?
All of the things you mention are interdependent, as resource and service management is the core of it all. I'm convinced that they set out to design somethign that has a scope which is as small as possible, but then noticed that interfacing with legacy-but-established open source software was extremely difficult.
I'm very thankful for systemd covering more and more bases because the "common" alternatives for many problems might be stable but they are often really bad to configure, maintain and debug - the ergonomics in non-default use cases have a lot of potential for improvement. And what can you do if the maintainer is not responsive to the kind of improvements you would need to make the software ready for the next decades? Many times I have forked things and tried to refactor their technical debt so a new feature can be implemented without making it an even bigger hack, and after that you just want to delete it all and start from scratch with a "proper" setup.
So I can understand the perspective of the systemd developers and the pain they had to go through simply on a technical level, not even thinking about the huge flamewars on mailing lists with some people.
Open source has big social dynamics, and a certain type of person is attracted to being "leader" or maintainer even though they are not as technical as I would wish them to be. I've had the painful experience with having to explain security vulnerabilities to some of them and my idealistic illusion of open source project governance received a good grounding in reality.
On top of this imo the documentation of systemd is really good.
Wherever they might be working now.. isn't really relevant to the project
> Lennart Poettering and Kay Sievers, the software engineers then working for Red Hat who initially developed systemd,[2] started a project to replace Linux's conventional System V init in 2010.[16]
A note about this conversation. and your improvements has been added to the "talk" page - Can I recommend that you make the appropriate change to the actual page?
(Mostly because 1) I don't think that the talk page will be paid any attention during the next... millenia.. and 2) I think that you should make the change because you knew that it was incorrect, and have receipts)
One more thing: D-Bus has the concept of generic services which can be automatically started, e.g. org.freedesktop.FileManager1. When you send a command to that service, the file manager will be started if it is not already running. However, there is no mechanism for the user to select which file manager to start, so if you happen to have both KDE and GNOME installed you have a 50:50 chance of launching dolphin or nautilus. See for example: https://unix.stackexchange.com/questions/778028/set-a-specif... . It truly boggles the mind.
D-Bus has no concept of generic services. People are using D-Bus to get automatic startup of generic services even though it's not fit for this purpose. It's quite a different thing.
You could build a viable solution on top of D-Bus though, it's just that apparently nobody bothered so far.
> Back when I was writing xdg-desktop-portal-hyprland
Ah, yes, XDG "portals". The reason file selection and screencasting is broken on every new Linux/Wayland installation I do, forcing me to try to understand the insane matrix of supported, half-supported, broken, and unsupported features by the dozen+ different implementations, and come up with the magic configuration incantation that makes it work on my system. Brilliant stuff. But it's secure!
> That is why, I've decided to take matters into my own hands. I am writing a new bus.
Oh, goody. The author quotes xkcd/927 as if anticipating the response, when it's exactly appropriate for this situation.
> For example, with wayland, when you switch, you abandon X. You cannot run an X11 session together with a wayland one, simply not how it works.
Huh? I use niri, and had to install both Xwayland and xwayland-satellite to get some of my apps working. I have no idea what either does, and even less interest in figuring it out, but it sure sounds like some X compatibility layer. Please tell me more about how much X, and now D-Bus, sucks.
I switched to Wayland a few months ago, and I'm happy that things mostly work now, but it seems that reinventing the wheel is the M.O. of developers in the Wayland community. Everyone is tired of everyone else's shit, has a superiority complex as evidenced by this ranty article, and has the urge to recreate literally every tool in the ecosystem that works for their own specific use case. Case in point: the dozens of tools that start with `hypr`. I guess we can add "tavern" now to that, whatever the fuck it is.
I'm tired of the state and direction of modern Linux. I wish I could use OpenBSD and leave this constant churn and bickering behind.
They're pointing out toxic behavior, favoring constructive criticism, and yet engage in the same behavior they're criticizing. Wild. How we ended up with these people as leaders in the Linux community is beyond me.
> An important part of actually advancing a product forward is to cooperate.
>I've decided to take matters into my own hands. I am writing a new bus.
Why not reuse Binder which has been to deployed to billions of devices, being a core part of a serious OS, with many many more developers who understand it compared to dbus.
You would probably want to write your own service manager, but you can reuse hardened stuff that already exist.
Yes! Make something built on top of binder, and use something with orders of magnitude more users and developer resources behind it..
> hardened stuff that already exist.
To make it even more hardened(?), Google recently contributed and got merged a Rust implementation of binder for the Linux kernel (and they're apparently planning to eventually remove the old C implementation).
https://lwn.net/Articles/953116/
https://lore.kernel.org/rust-for-linux/20231101-rust-binder-...
Which OS? I didn’t get many results for BSD binder. Then I figured maybe you were joking about the “serious” part, so I tried windows binder, iOS binder, didn’t see much…
Binder is the primary way apps talk to the various OS services on Android.
https://source.android.com/docs/core/architecture/ipc/binder...
https://www.kernel.org/doc/html/latest/admin-guide/binderfs....
https://source.android.com/docs/core/architecture/ipc/binder...
There are few implementations of the Binder userspace outside of Android.
How many implementations existed of their new bus?
Considering that any new implementation of Binder userspace would realistically also be incompatible with Android Binder, what would really be the gain here? You'd basically have yet another wire protocol that nobody else uses but now also depends on having a obscure Linux feature enabled.
Why would it need to be a new implementation? AOSP is like... right there, and it's not like libbinder has crazy dependencies.
> also depends on having a obscure Linux feature enabled
An extremely widely used and battle hardened Linux feature, though, with corporate sponsorship and active development. With the only real reason it's obscure on desktop linux at all is because upstream blocked it for a long time. If desktop linux embraced it, it certainly wouldn't be obscure anymore, now would it?
Most of binder is in outright Java. Libbinder_ndk is a subset that is unlikely to please anybody. The other libbinder (openbinder) is dead since 2006ish. I actually used this last one in certain commercial product.
> An extremely widely used and battle hardened Linux feature, though, with corporate sponsorship and active development.
Compared to _unix sockets_ , which is the other transport used by almost every other local IPC mechanism, and also what D-Bus uses, there is just no contest. Even Android uses unix sockets more than Binder.
> Most of binder is in outright Java
None of binder is in Java. The Java binder code is just JNI bindings to the native implementation.
Things like permission manager are in Java, but that's not part of binder. It's just a service published on binder, and one that wouldn't translate to current desktop Linux anyway.
> Compared to _unix sockets_ , which is the other transport used by almost every other local IPC mechanism, and what both D-Bus, TFA's proposal, and literally any other reasonable desktop IPC proposal out there, there is just no contest.
unix sockets are not an equivalent, which is why protocols are bolted on top to turn it into dbus, etc...
EDIT:
> The other libbinder (openbinder) is dead since 2006ish.
The libbinder I meant is the one in AOSP hence why I said "AOSP is right there":
https://cs.android.com/android/platform/superproject/main/+/...
That one is very definitely not dead since 2006ish.
"None of binder is in Java" is too strong a statement: https://android.googlesource.com/platform/frameworks/base/+/...
This libbinder is still way too Java-centric. It can be used from outside, and even slightly reminds me of openbinder (e.g. sp<> https://cs.android.com/android/platform/superproject/main/+/... ) but it doesn't really change the picture much. You have something which smells Java from a mile, and has a lot of other Android-isms to boot, so still likely requires to reinvent a lot of the wheel to actually use it for most desktop programs.
Even the use of C++ is likely to frown many people. (Not me).
That is a java version of a class from libbinder. Having Java and native versions of classes is a common pattern for things meant to be used from both.
https://cs.android.com/android/platform/superproject/main/+/...
The C++ origin of Binder is annoying, but unlike original Binder[1] easily workable around especially given the exact format of messages is left up for implementation to decide outside few standard bits
[1] BeOS, the docs still match what is in Android :D
Just use Android's implementation
Isn't that tightly tied to the Android permission and app model, which is radically different from generic Linux.
Not widely known but the original Binder, OpenBinder, was not even for Linux or Android It was developed for BeOS.
OpenBinder was one of the few pieces of code which was open sourced in Be Inc’s dying days just before it was acquired by Palm.
Many of the principal Be developers who worked on OpenBinder, Dianne Hackborn, Jean-Baptiste Queru, et al then moved from Palm to Danger, which was developing Android and which was later acquired by Google.
And the rest, as they say, is history.
Binder will come to linux desktop soon... together with Android :)
From the style of this article I expected that https://github.com/hyprwm/hyprwire and https://github.com/hyprwm/hyprtavern would have documentation, specification and perhaps a bunch of tests, but they're not really there (other than smoke tests).
Those would have been a great starting point as well! But maybe we'll see them later.
I believe the sole author is doing finals for their last year of university at the moment.
D-Bus is the closest Linux desktop has from XPC, COM, Android IPC.
Maybe it should be treated better, not rebooting it every couple of times.
The problem is naturally the Linux desktop fragmentation that hinders a proper full stack approach to application development.
What works for GNOME is useless for KDE, and what works for KDE is useless for XFCE, which is ignored by Sway and so forth.
> What works for GNOME is useless for KDE, and what works for KDE is useless for XFCE, which is ignored by Sway and so forth.
KDE had their own IPC thingy, DCOP, but it has been replaced with D-Bus.
Yep, using Linux in various forms since 1995.
D-Bus is over 20 years old so a reboot is in order. All this guy's gripes are not legitimate, but many are. However, upgrading desktop infrastructure is just as much about influence (clout) and "social" excellence as it is about technical exellence. A new ipc mechanism that is not backed by the major players has no chance.
I'd argue vaxry _is_ a major player, what with the rise of omarchy.org and r/unixporn, popularizing hyprland enough for him to have enough momentum to publish standards for this new era of TWM linux desktop.
actually kde has kparts which are somewhat like com. prior to d-bus kde used to use dcop.
God I loved kparts, but wasn't that more the idea that everything should be embeddable?
> KPart technology is used in kde to reuse GUI components ... By using kparts in applications developers can spend less time implementing text editor or command line features, for example and just use a katepart or a konsolepart instead.
https://techbase.kde.org/Development/Tutorials/Using_KParts
Yes it is, but since "KDE 5" I've seen less of it. Besides the obvious example of Konqueror another great example of it was reKonq, which used Akregator, Okular and Kget to handle RSS and PDFs respectively (all within the reKonq window).
Now not even Falkon does that.
Just from the top of my head that I've noticed as a user: several apps, such as Dolphin or Yakuake, use konsolepart; KWrite uses katepart, and Ark uses various parts in its file preview.
It does, but again only usable by KDE apps.
The fragmentation is a natural consequence of different use cases existing.
You can't have your cake and eat it too.
Which is why in the end, WSL 2.0 is the Year of Desktop Linux, while Android, WebOS and ChromeOS commonality is the Linux kernel, not userspace.
OpenWrt devs had this epiphany many years ago:
https://openwrt.org/docs/techref/ubus https://openwrt.org/docs/techref/ubus#what_s_the_difference_...
(no endorsement implied; in particular, ubus has not much of a security model, though OpenWrt has an excuse for that)
The problem with dbus is also that all these nice browser extensions that integrate websites with gnome/kde talk over dbus. These dbus APIs had several DOS vulnerabilities, some of which could be triggered by visiting any website. It is unacceptable that my desktop environment crashes just because something floods the dbus API, even moreso if it can be triggered by visiting a website.
So if you are a security researcher, dbus is a very worthwhile entry point if you want to improve some open source software :-)
What browser extensions? Why would I want websites to integrate with gnome or kde? What does that even mean?
Isn’t this bad boy installed by default in most Gnome distros? https://chromewebstore.google.com/detail/gnome-shell-integra...
I'm guessing the poster meant the USB and Bluetooth browser protocols (which I still find insane how anyone thought those were a good idea, but it's literally the only way to configure some keyboards today).
Not an issue with a standalone VM :D
Now you have two problems.
> Ever seen kwallet or gnome-keyring? Yeah, these things. These are supposed to be "secret storage" for things like signing keys, passwords, etc. They can be protected by a password, which means they are secure... right? [...] any app on the bus can read all secrets in the store if the store is unlocked.
Well, TIL. Looks like the default GUI for that is `seahorse`, so let's see what I've got on a relatively fresh installation... Looks like mostly Chromium stuff where there's a key that unlocks something more application-specific (e.g. for Discord) and an access token for my JetBrains account.
So no plaintext passwords per se, but now I wonder what a malicious app might uncover if it pursued the local Chromium stuff.
Where do you think those secrets are going to be stored otherwise and how are you planning to authenticate to them?
If you're not entering a password at some point, then they're in memory and available to all anyway. If no system prompts or notifies you access is happening, then it's irrelevant what software machinations might be governing this.
On platforms like Android, iOS, and macOS, secrets are easily stored encrypted with no access to the key unless you exploit the kernel. On Windows, a similar feature is opt-in, but compatibility makes it a little less reliable.
iOS and macOS combine sandboxing with their Secure Element. Android uses TEE or a secure element-like piece of hardware. Windows uses a hypervisor + the (f)TPM.
Nothing Linux can't do, it's basically glueing together a small early boot KVM VM + TPM + secure boot together with an API. Setting up your own secure boot keys to make it run relatively seamless is a pain on many consumer devices, though.
All of that is about protecting secrets at rest on the device. It is of no protection at all if an application simply asks the secure-whatever for them and then proceeds to email them all to someone else.
The secrets in the keyring of my secure boot protected, full disk encrypted laptop are exactly as secure until I boot it up and unlock the keyring for Dbus.
Keychain access can be limited with ACLs, enforced with code signing signatures as well on iOS and more so on macOS where the “keychain” can still be the older file based type.
There are secrets I cannot export from my system keychain without disabling SIP on my Mac.
> It is of no protection at all if an application simply asks the secure-whatever for them and then proceeds to email them all to someone else.
On Windows the application can specify some extra entropy/salt, and the secret is not decryptable without it[1]. So it's a tad more difficult to exfiltrate than simply asking for it.
[1]: https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf...
Which is still protecting secrets at rest.
What are people not getting about this? The point of a shared keyring is to enable applications to share secrets. My git tokens are shared between git, my IDE, various scripts etc.
This discussion highlights the exact issue: people don't even understand what problem or use case they are actually solving.
You believe any Android or iOS app can exfiltrate all stored secrets?
> If you're not entering a password at some point, then they're in memory and available to all anyway.
They entered a password to log in probably. And Linux had a setting to restrict ptrace since years.
When Important Banking App stores a secret to my "keyring", I would never have expected that the "secret" would be trivially available to all other programs that run.
Imagine if it worked that way for browsers, and every website with a saved-password got to see all the other saved passwords...
Why is your banking app entering a secret to your keyring? That would be like writing your safe code in a paper and let it hang onto a physical keyring.
The problem isn't what's on the keyring, the (reported) problem is that it can be arbitrarily inspected in full by any program. Doors should not be able to enumerate and copy all the keys that aren't meant for them.
> Why is your banking app entering a secret to your keyring?
What is any "keyring" for if not to carry things you keep secret and exclusive?
The problem here is leakage between purposes. I don't care if the banking app is just storing my logon name for convenience, even that should never be scrapeable by Linux BonziBuddy. [0]
> That would be like writing your safe code in a paper and let it hang onto a physical keyring.
Why even put any regular keys onto such a horribly flawed keyring either? There's no real difference between (A) seeing combination-lock numbers versus (B) seeing the shape of a key that is trivial to reconstruct. [1]
[0] https://en.wikipedia.org/wiki/BonziBuddy
[1] https://en.wikipedia.org/wiki/Bitting_(key)
Unix already have a security model for this: User and Groups. You could create a new user called `banking`. And used that exclusively for any banking activities. Especially with the X11 model where you just have to type `startx` and not have to launch a bazillion software to keep a DE happy.
Have you actually tried that approach, with an individual user for all your programs?
In fact, I was attempting that kind of thing just this week, namely trying to run Spotify (distributed as a snap) as separate user in a visible window. Maybe it's possible, but it's certainly not trivial or turnkey.
> However, the best thing is this: any app on the bus can read all secrets in the store if the store is unlocked
>> The GNOME project disagrees with this vulnerability report because, according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.
I'd like to point out for anyone on the fence that yes, Gnome is run by clowns in full sized clown shoes.
This is especially amazing given how much of wayland friction is in the name of security ("Why would we ever standardise a way to intercept and send keystrokes? it's not secure!")
I always thought as the secret for things that should not be saved non-encrypted on disk, not for things that should be kept hidden from other applications. And if that is your threat model, you should look into virtual machines.
That’s exactly what it’s for. Parent is just being rude for no reason.
Program running as user can read data owned by user. If this is a vulnerability then the entire linux userspace is compromised. Can you believe that applications I run can execute gpg2 and steal all my secrets?
The dbus process is run by and owned by your user. The only people that can access it is you and root. There is a system-wide bus but your secret manager isn't using that one.
It's just this: https://xkcd.com/1200/
It’s almost as if the user/group/everyone permission model developed for time sharing mainframes isn’t sufficient anymore for absolutely everything anymore.
Fortunately today with AI everyone CAN actually audit all the code for all the software running on their machine themselves by sending it to a black box cloud service, thereby running only software they KNOW they can trust! /s
"works as intended wontfix conversation locked"
I wonder if the design of D-Bus has anything to do with a principle I notice a lot, where the most meritorious solution never rises to the top for any given problem, but rather one apparently chosen by absolute randomness. For example, I wonder how many repos on github have legitimately created a 100% better framework than React, but the author simply can't get the word out for whatever reason, so the project remains accidentally anonymous. Maybe D-Bus has something similar?
> the most meritorious solution never rises to the top for any given problem, but rather one apparently chosen by absolute randomness.
Respectfully, i think that mostly happens when people reviewing the solution space don't understand the problem fully. Often the requirements differ from what people think they are, and as a result the winner seems random because they don't understand the actual requirements.
D-Bus came to prominence because of its association with GNOME, which has in turn has remained relevant mostly because of its association with Red Hat.
Most of the time, there is usually no "most meritorious", just something that is elsewhere on the "trade-off space" than the person speaking would like. I usually dismiss everybody who so snidely and arrogantly dismisses results of other people's work(e.g. the OP article), like there was some _obviously_ correct solution that the people who worked on the widely accepted solution were too stupid or malicious to choose. They could not possibly have had other priorities or doing their best to get something working acceptably in a complex ecosystem with no central control, no! They are just dumber than you (or just plain malicious).
Worse is better, but meta, because the worst way of choosing is what wins
The world is filled with "good enough" solutions. If it has 80% of the functionally needed, it will be good enough for most use cases.
> the most meritorious solution never rises to the top
You know why? Because it was the best solution at the time that covered everything they needed. You can only complain about it because the initial problem was solved and people were able to move on to something else.
Does it work for what we need it to do? Yes? Ok. Now that we have settled this problem, we can continue on developing.
Meritocracy is only relevant to someone who has ideas but no desire or ability to actually structure the idea in such a way that would work in the world we find ourselves in today.
> Maybe D-Bus has something similar?
So you just commented here to say nothing but "dbus sucks because it isn't the best. I wonder if there are better options?".
iirc it was developed as freedesktop project in order to create standard desktop bus to be used by everybody, as back in a day kde had it's own bus and gnome had another one.
https://en.wikipedia.org/wiki/Worse_is_better
There is definitely an elite cabal with its thumb on the scale here.
> The GNOME project disagrees with this vulnerability report because, according to their stated security model, untrusted applications must not be allowed to communicate with the secret service.
> Applications sandboxed via Flatpak only have filtered access to the session bus.
While I see why they think this is a bad answer it really reminds me of this: https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31... . Also they did not cite the last statement in their quote and made screenshots, so the quotes are not copyable. Who the hell does that?
Wayland, thow shall not screenshot without root.
D-Bus, YOLo!
I am not a fan of Wayland either, I rather want to be able to run programs from different users against the same application server. This works just fine on Xorg.
Works just fine on Wayland as well. It's simply a Unix socket that you can set permissions for, it's even easier than X11 with its magic cookies.
> D-Bus was introduced by GNOME folks about 20 years ago. For software made only 20 years ago, as opposed to 40 like X, it's surprisingly almost equally as bad.
I dunno man. Emacs is awesome.
I don't think they implied that old software is always bad.
Can't you guys stop reinventing the wheel every other day? I hate D-Bus like everyone else, even though at least it did bring project Utopia and all such crap. But even if I think it sucks I stay with it for the simple reason that the more alternatives you create the more you annoy other users WAY MORE than any benefit you bring them. D-Bus has been used everywhere from LG TVs to automotives, so at least it f*cking works.
Does it miss a spec? Write one.
Do you really want your secretsd or whatever to only be able to reply to whomever stored the secret? Make clients store a cookie or something and only reply if they prove ownership of it. But I have to ask : what the hell is your threat model here? The attacker is just going to ptrace firefox and read all the secrets anyway. Or read its files in $XDG_CONFIG_DIR. You are just moving around who has the ultimate responsibility, and that looks like security theater. In addition, I _want_ other programs to be able to read secrets (e.g. keyring administrators, .netrc-style shared secrets, etc.)
Do you hate a{sv}? If you propose JSON as alternative, you are going to make me laugh.
Etc. Etc.
> Make clients store a cookie or something and only reply if they prove ownership of it
Unix domain socket authentication is stronger and doesn't require storing cookies on the client side.
> what the hell is your threat model here? The attacker is just going to ptrace firefox and read all the secrets anyway.
Which is why you can (and people do, e.g. flatpak) run applications where ptrace or global filesystem access is blocked. Which is why portals exist and why there shouldn't be a "get all secrets via dbus" escape hatch.
> I _want_ other programs to be able to read secrets (e.g. keyring administrators, .netrc-style shared secrets, etc.)
Then don't use it? Secure defaults matter for most users.
> Do you hate a{sv}? If you propose JSON as alternative, you are going to make me laugh.
Find the *kwargs here: https://wayland.app/protocols/xdg-shell
Etc. etc. This isn't the 90s anymore.
> Unix domain socket authentication is stronger and doesn't require storing cookies on the client side.
And pointless here, since everything runs under the same uid. You need to authenticate this is the same browser that stored this secret, not that this is the same uid (useless), or the same pid, or any other concept that unix domain socket authentication understands.
> Which is why you can (and people do, e.g. flatpak) run applications where ptrace or global filesystem access is blocked. Which is why portals exist and why there shouldn't be a "get all secrets via dbus" escape hatch.
In which case they do not connect to the same D-Bus "bus", and the problem is again non-existent. See how flatpak sandoxing does it.
> Then don't use it? Secure defaults matter for most users.
Right until they notice they can no longer view the keyring contents, or any other stupid limitation most desktop users couldn't care about.
In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
> Find the *kwargs here: https://wayland.app/protocols/xdg-shell
Much better to have a million non-extendable protocols competing with each other. To this day there are two protocols (at least) for exposing the address of the DbusMenu service of a surface, one for gnome-shell and one for kwin. So much for the uglyness of X atoms. And this has nothing really to do with the design of the IPC mechanism itself...
Since docker, we know how to do pretty good isolation (some of the tech is shared by Flatpak etc. sandboxes) - just put stuff into different namespaces with some auth api allowing processes to 'mount' the necessary stuff.
The closer you stick to the kernel security model, the more likely your app will be safe and performant, and the less likely other devs will reject it in favor of their hand rolled stuff.
> In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
If I store my secrets in KWallet, which purports to _storage for secrets_, I absolutely do not expect every application on the desktop to have access to those secrets, whether I want to share them or not.
I can't believe you're suggesting this is sanely defensible.
KWallet has never provided any security guarantee, so I dunno what is your surprise here. Its entire premise is centralization and sharing (i.e. not having to type each individual password over and over in each program).
> And pointless here, since everything runs under the same uid. You need to authenticate this is the same browser that stored this secret, not that this is the same uid (useless), or the same pid, or any other concept that unix domain socket authentication understands.
I disagree. With UNIX domain sockets it is absolutely possible to determine the PID of the process that you are talking to and use pidfd to validate where it is coming from. Would be entirely possible to use this for policy.
> In fact, if you do not need a shared secrets service, and your applications are containerized... why do you need a secrets IPC at all? Just let each program store its secrets in some of its supposedly private storage...
And how exactly does the app container service store something encrypted securely on disk? That's literally the point of a secrets service on a modern desktop. It usually gets keymatter in the form of a user password carried to it from PAM, in order to allow on-disk encryption without needing separate keyring passwords. (And yeah, sure, this could use TPM or something else to avoid the passwords, but the point is literally no different, it shouldn't be each application's job individually to manage their own way of getting secure storage, that's a recipe for data loss and confusion.)
> Much better to have a million non-extendable protocols competing with each other. To this day there are two protocols (at least) for exposing the address of the DbusMenu service of a surface, one for gnome-shell and one for kwin. So much for the uglyness of X atoms. And this has nothing really to do with the design of the IPC mechanism itself...
That's a problem that occurs because the protocols have multiple distinct implementations. Most of the dbus services don't have to deal with that problem at all. (And the ones that do, tend to have problems like this. There are plenty of weird incompatibilities with different XDG desktop portal implementations.)
I'm pretty sure the point of bringing up xdg-shell is because the new bus is inspired by the Wayland protocol. For all of the incessant bitching about Wayland online, Wayland protocols are only about 1000x nicer to use than dbus. You can actually do decent code generation for it without having to have like 5 competing ways to extend the XML to add basic things like struct member annotations (and then have things like Qt's own DBus code generator unable to actually handle any real DBus service definitions. Try throwing the systemd one at it, doesn't fucking work. The code doesn't even compile.)
> determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.
The pidfd_open() man page doesn't list many things that can be done with a pidfd. What sort of validation do you have in mind?
I would love to have a reasonably snoop-proof secret storage service whose security model works with normal programs (as opposed to requiring Flatpaks or the like).
> With UNIX domain sockets it is absolutely possible to determine the PID of the process that you are talking to and use pidfd to validate where it is coming from.
Validate what? You're just moving the responsibility to whatever answer you give here. If you say "validate the exec name is firefox-bin" then the next person who comes in will say "I hate $your_new_fangled_ipc, you can make it dump all your secrets by renaming your exec to firefox-bin". (This is just an example).
> And how exactly does the app container service store something encrypted securely on disk? That's literally the point of a secrets service on a modern desktop.
The more I think of it, the less sense this makes. If you already have a system where applications cannot read each other's data, what is the point of secret service? What is the security advantage?
If you want to encrypt with TPM, fingerprint, or anything else, that's encryption, which is separate from storage (you can encrypt the password with say a PCR but the application gets to store the encrypted password in any way they want).
Password encryption in the desktop keyrings are for the situation for when every application can read each other's data files easily (again, as in the desktop). In which case, it may make sense to use encryption so that such data is not (trivially) accessible from any other application (otherwise https://developer.pidgin.im/wiki/PlainTextPasswords applies) .
If your applications are already running sandboxed, a keyring sounds to me like useless complexity? Just make each application store its data into its sandbox. What's the threat vector here, that super-user-that-can-escape-sandbox can read into the sandboxes and extract the password?
> You can actually do decent code generation for it without having to have like 5 competing ways to extend the XML to add basic things like struct member annotations (and then have things like Qt's own DBus code generator unable to actually handle any real DBus service definitions. Try throwing the systemd one at it, doesn't fucking work. The code doesn't even compile.)
Yes sure, another problem resulting from the lack of standarization. But my point was -- standarize (write a spec), instead of adding more to the problem by creating yet another competing standard which will obviously NOT solve the problem of lack of standarization.
The funny/sad detail is that the 80s (at the latest) already solved the problem. Have a look as XDR and Sun RPC. It has both strongly typed APIs and versioning built in. You would have to come up with your authentication mechanism for applications e.g. have them send a cookie file (descriptor).
This is the first time I hear that anyone hates D-Bus. I always saw it as a global API Bus that Apps can register to and which enables some sort of interoperability and automation. After all it can even be used from Bash. What is bad about this?
The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything. That's not the fault of D-Bus.
Also I'm puzzled that Polkit hasn't been mentioned even once.
The architecture is fundamentally broken when you are using multiple window managers / desktop environments https://github.com/dunst-project/dunst/issues/363
> The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything.
The world is moving towards sandboxed applications (through flatpak and friends) more and more. As per the OP, this is one of the things holding sandboxing back.
There's sandbox escapes daily since decades. It doesn't work.
Check varlink, an alternative to D-Bus defined in the SystemD world.
https://media.ccc.de/v/all-systems-go-2024-276-varlink-now-
Nah, fuck that one in particular. DBus was too type-unsafe? Why not use JSON then, right? Right?!
> The security aspect seems also a bit funny to me. After all the average Desktop has most data in the home directory, so every application can read everything. That's not the fault of D-Bus.
Those secret stores (gnome-keyring/kwallet) store the secrets encrypted on disk, so every application can read the encrypted secrets but only the secret store has the encryption key to decrypt them. This is held in memory, not on disk.
> Does it miss a spec? Write one.
FreeDesktop-dot-Org would not accept one from the author if he did:
https://blog.vaxry.net/articles/2024-fdo-and-redhat
https://blog.vaxry.net/articles/2024-fdo-and-redhat2
I am puzzled by this comment - hasn't been an explicit goal for the Linux desktop (pushed esp by the Gnome/Fedora folks) to have applications run in a sandbox? That's literally what stuff like Flatpak xdg-desktop-portal and Wayland isolation are built around.
And maybe its time for a reinvention anyway? IPC and efficient and portable formats are very mature nowadays, with protobuf, flatbuffers etc. and the general model of the internet is based around service location, and stuff talking to each other.
I'm kida curious why they didn't go with Unix Sockets in the first place, with named pipes in memory carrying the message transport.
> hasn't been an explicit goal for the Linux desktop (pushed esp by the Gnome/Fedora folks) to have applications run in a sandbox?
Yes, and the article's author forgot to tell you that their rant doesn't apply to applications running in a sandbox, as their D-Bus access is filtered.
I've never had much luck with it either. A lot of the same pain points as the author.
As for it being used everywhere, sure, we had some bad SOAP stuff being used everywhere at one time, but that's not a good thing...
Regarding secrets etc.. on the one hand, yeah it's not much to worry about people with access to your machine reading stuff on your machine, buut*, it's kinda dumb to have stuff encrypted and left around for a public unsecured protocol. The solution would be, for apps that need security, don't use dbus.
If the API was less loosey goosey (self documentating, not so open ended, less awkward), I agree it's fine for applications at the same level of trust to all access the same thing.
The problem is more random scripts off the internet using browser apis to read stuff out of local storage containers. Forcing local containers to explicitly allow such access, and yes, using a non-dbus protocol, would be a preferred method, while not requiring overly complex authentication schemes locally...
Otherwise the main change I would have made would be to explicitly allow applications to access the bus, vs just a random app having access by virtue of running in memory...
I may be naive, but why not adopt the browsers api development model. 90% shared core apis, experimental ones, for a few years it seems that every group can work on its code without breaking things for user much while new ideas coming regularly.
How does it work exactly? I mean, the premise here is:
"it f*cking works"
Can we objectify this claim made here?
Perhaps the SecretManager deserves some extra attention, but I concur. We worked long enough on this, please dont split whats left of the linux desktop...
I don't recall asking for any "bus" in the first place.
> Do you hate a{sv}? If you propose JSON as alternative,
Obviously, the components should talk using MCP.
You may be joking but I think seriously that may be a decent idea. The universal RPC/automation mechanism which everybody implements-whatever its warts may be-is superior to a better-designed one which few actually end up supporting. You don’t need an LLM to call MCP tools, there’s nothing stopping you from calling MCP tools from any programming language.
d-bus often fails to work properly, at least on my machine, where systemd is not in use.
it already annoys me.
an alternative would be welcome.
I believe someone from systemd should reimplement d-bus in rust. This way we can have all the things we hate in a single instance.
https://varlink.org/ systemd already has
Problem is, varlink has been created to alleviate the pain while what I'm looking for here is even more suffering. Perhaps add AI and MCP into the mix. At kernel level with hard dependency on sudo-rs. And local RPC should be blockchain-based.
A gold standard behaviour for when you want to replace a disfunctional tool/system and will require buy-in from a wide community, is to behave like Charlie Marsh did with ruff and uv.
He didn't barge in guns blazing proclaiming "pip is a disgrace" and "it's a fuckin joke". He wrote a tool that was much better and encourage others to try it. Within a year or so, it snowballed into an unstoppable change.
This project currently has a bunch of C++ files, no docs, no tests, no roadmap on how it might replace d-bus, nothing. And as another commenter pointed out, starting a new system service in 2025, yelling about security, and doing this in an unsafe language doesn't inspire confidence.
Lennart Poettering, Theo de Raadt and Linus Torvalds may get away with talking like this, but if you seriosly want to bring a wide community on board (without which the entire thing is a non-starter), look to Charlie instead.
Oh, and also, if you think D-Bus is bad, consider yourself lucky you didn't need to use the thing it replaced - CORBA.
> This project currently has a bunch of C++ files, no docs, no tests
I think the more important thing is the protocol itself, rather than the specific implementation. As the author notes the current D-bus standards are substandard at best.
I can get on board with that if there's a protocol spec - at least a draft or something more tangible than "it's a tavern".
I just see a bunch of undocumented C++ code here.
I think one of the point from your parent comment is that something that works for people is a powerful way of making things happen, much more powerful than rants or theory or protocols. I also noticed that with cryptography algorithms/protocol for example: design the most amazing algorithm - no one is going to use it ever if there is no great reference implementation people can use.
Aint that the truth. D-Bus isnt that terribly shit either, we just need to solve this SecretManager issue...
At this point I would like CORBA back.
That would be Cap'n Proto RPC
Similarly I wish open-source devs who wish to extend and improve existing tech take a page out of Microsoft and do their Embrace, Extend, Extinguish tactic. Like: "Here is my new D-Bus implementation, it has a couple of extra bells and whistles, which I need for my project, and is faster. Oh I have added more security, you don't have to use it right now, but some services will require it. ... Security is now mandatory. ... The protocol is now called Wire and if you need D-Bus, you can run this legacy translation layer. ... The legacy translation layer is no longer installed by default, but will be maintained for those who need it. ... It has been 30 years since anybody has needed D-Bus, we are no longer maintaining the translation layer."
Which is kind of what OP is doing, but less directly inflammatory. I wish him all the luck regardless.
This is so close to a jwz post that if the stylesheet mimicked his website's, I'd believe it was him.
I was under the impression that the security concerns there are handled by AppArmor and SELinux (though maybe not granular access control to secrets). Which all desktop Linux installs should be using one or the other, because there's much more than just D-Bus that can be a security risk.
Raises the obvious question of why not using the wayland protocol (on another socket, not on the compositor socket). It has mature implementations in many languages, an IDL with compilers, and every GUI application is already going to link to libwayland anyway.
(Or perhaps even COM)
vaxry has a beef with Drew Devault, who called him out and exposed his behavior when not writing code.
Considering a sizeable part of Wayland's low-level stuff is written by Drew back in the day, vaxry won't touch anything written by Drew.
This "protocol" effort is to further decouple Hyprland from Wayland infrastructure.
Like everything, this effort is again driven by ego and spite.
I think this is missing the main problem with security on a Linux Desktop, the user. All an attacker has to do is to convince the user to run InstallSteamWithAllGamesUnlockedForFree.sh You know, the AnnaKurnikovaSexTape.exe of the windows world.
This is an education problem and no amount of tech is going to fix it.
Even if dbus didn't have this problem, this is my hardware, I'll do what I want! That's the whole point of Linux.
nearly everything talks dbus, even browser extensions.
It’s even more serious than running untrusted shell scripts.
That's not the problem. The real problem is that if I convince you to run my script, it's going to be quite easy to convince you to give me extra permissions, so I can get to your data. It really irks me when things like Cargo are doing exactly that, make me run a sh script. Cargo and the likes, are making running sh scripts way too common.
I assume you mean rustup, not cargo specifically or am I wrong?
cargo builds/runs build.rs in the background
browser extensions? you mean like Chrome ones etc? never heard of that being a thing
plasma integration and gnome-shell integration do, and those are open source so you can see for yourself.
It’s also very common for password manager extensions like 1password and bitwarden.
D-bus breaks a very basic expectation.
That when you can open a basic X11 application like xeyes or xterm, you can open any X11 application.
D-bus breaks this.
And it makes my Linux system feel like yet another case of "microservice failure".
I don’t think I’ve ever seen a well behaved D-Bus enabled application, NetworkManager being particularly psychotic.
I'm trying a distro with Connman instead of NetworkMangler. It's the same deal. I could not for the life of me get it to connect or even see my cellphone's wifi tethering hotspot.
I shutdown the connman service and removed it from the auto startup sequence. I manually edited frickin' wpa_supplicant.conf to put my cellphone network there. Worked first time and every time thereafter.
The founding document of GNOME is called "Let's Make Unix Not Suck" by which the authors (primarily Miguel de Icaza) meant "Let's Make Unix Almost Exactly Like Windows". D-Bus is just the latest in a series of attempts to bring Microsoft's janky, kind of an object model to the realm of Unix's small do-one-thing C programs plumbed together with file descriptors, pipes, and network sockets. Except somehow, they added even more problems on top of the ones COM already had!
At least when Steve Jobs tried to retrofit Smalltalk style OOP onto the Unix model, he had the foresight to bring much of Smalltalk (in the form of Objective-C) along with.
> That when you can open a basic X11 application like xeyes or xterm, you can open any X11 application.
I have never heard of that. Even if it was true (and sounds like another security issue); X11 is almost gone for most people. Why should anyone care?
It is not true that X11 is gone. I use it. Many other people use it too.
Can you show where you got the impression that "X11 is gone"?
X11 has been replaced by Wayland as the default on the vast majority of workstations. Servers wouldn't have it anyway.
It's "gone" for roughly 80% of the people using Linux on the desktop.
(It's often still installable, it's just no longer the default and has been marked as deprecated / unmaintained.)
I often read the advice that if something does not work on Linux, then switch from Wayland to X11.
Also, 20% is quite a big userbase. What you are saying is like saying that Firefox is "gone" because "percentage".
Trust me, X11 is not gone.
(written from a browser that runs in a VNC session that uses the X11 protocol under the hood)
X is deprecated. Its maintainers do not want to maintain it. They want you to use Wayland instead.
The major DEs have removed their X code paths, or will in the next year. The toolkits will follow suit. X is a dead end for new and non-legacy software.
It's a dead end that allows me to have HiDPI (aka a 4k display) on Ubuntu 24.04 and use the VMWare GUI and OnlyOffice.
Wayland was launched 18 years ago and it still can't handle mainstream apps in common scenarios.
"I often read the advice that if something does not work on Chrome in the US Govt, try IE6." - This was still true as of last year.
"Trust me, IE6 is not gone" - me
I am using OpenBSD on an x86-64 desktop, and X is still very much the supported graphics environment.
That said, there is interest in Wayland in these circles.
https://www.openbsd.org/papers/eurobsdcon2023-matthieu-wayla...
Supported by whom? Xorg, the server, no longer maintained. Also, OpenBSD users already a tiny fraction of users...if every single OpenBSD desktop switches to Linux and Wayland, not a single metric will change significantly.
OpenBSD also maintains OpenSSH, which has enormous market penetration.
Their ssh supports the -X and -Y options to run remote X applications.
Let me know when those go Wayland-specific and are able to encompass the new protocol.
Until then, get comfortable in a small and discardable minority.
OpenBSD maintains its own Xorg fork, called Xenocara.
Are there hard numbers to back up the 80% thing? I don't know one way or the other, I'm just skeptical because I still have applications which don't work correctly under Wayland (Discord), and if I have such problems it wouldn't surprise me if others do too.
It's the default for most of the parent/child distros.
Wayland Only (default, installed):
* Fedora
* Ubuntu
* openSUSE
* Arch Linux
* Pop!_OS
Wayland (default)
* Debian
* SUSE
I use Discord on Wayland every day and have for at least 3 years. Both AMD 9060 and NVIDIA 4060 (and an AMD RX 580).
The distro you use can have a huge impact on your OOTB experience.
The waypipe toole comes quite close to X forwarding on Wayland. :-)
I'm not sure why you would need to have "heard of that". If I was getting Linux to work on my computer as many people have, and got xeyes or xterm to work, I would expect other X11 apps to work as well.
It is almost gone for me too, except that I can't adjust brightness on my laptop with Wayland. I can with X11. It's a long story but that's the TL;DR of it. So until all of that almost goes away, it's full X11 at least for some people like me.
I had the same problem until an updated fixed it
There are still many of those kinds of issues left.
I was surprised to learn that Wayland still doesn't offer control of keyboard LEDs like Scroll Lock, so unprivileged programs that use those LEDs cannot be ported to Wayland.
Even if I didn't depend on such a program myself, I would find it strange that Wayland gives the compositor responsibility for only part of the keyboard: its keys, but not its indicator lights.
Are you really thinking of dbus here? It's not in the normal binary loading path. And afterwards, it's not any different from other libraries which may or may not stop the app from functioning for many reasons.
>Back when I was writing xdg-desktop-portal-hyprland, I had to use a few dbus protocols (xdg portals run on dbus) to implement some of the communication. If we go to the portal documentation, we can find the protocols.
>[...]
>None of the apps, I repeat, fucking none followed the spec. [...]
>Fun fact: THIS IS STILL THE CASE! The spec advertises a "restore_token" string prop on SelectSources and Start, where no app does this and uses "restore_data" in "options".
Wrong. xdg-desktop-portal has a client API and a compositor API. In the client API the property is called restore_token [1]. In the compositor API the property is called restore_data [2]. Clients do not talk directly to the compositor, they talk to the xdg-desktop-portal application which then talks to the compositor. It is not surprising the the properties would not be called the same.
In the documentation the APIs for app developers and desktop developers are clearly separated on the left hand side [3]. Not only does this have nothing to do with DBus (it would apply to every API where a middleware is used to translate messages), it also shows that the author did not do his due dilligence.
[1]: https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.fr...
[2]: https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.fr...
[3]: https://flatpak.github.io/xdg-desktop-portal/docs/
> It is not surprising the the properties would not be called the same.
It is a bit surprising that xdg-desktop-portal has two very similar APIs that differ in non-obvious and seemingly-arbitrary ways. I was also a bit confused about how the two APIs correspond (or don’t) when I first read their documentation.
I do not like D-Bus either, and I do not like JSON either. Some of the problems are the ones mentioned there, and it has many other problems as well (one of these is that its use of Unicode can cause problems, but there is a lot more problems than just that). I do not agree with the solutions mentioned there either, although they do make some improvements, there are also some problems.
A better way would be a different operating system design, although without that, you can still improve it on Linux. I think putting secrets in the message bus is not really the way to do sandboxing properly, and I think there should not be a global message bus (it should be specific to a program; if the program is properly sandboxed it can be limited what it can access, and possibly they can be declared by the use of environment variables, although).
There are also problems with the existing sandboxing systems; e.g. some do not work properly with character sets and might not support such things as: popen, command-line arguments of the program to restrict which files can be read/written, etc.
For security for programs running on the same computer communicating with each other while they are running, cryptographic algorithms are probaly not the way to do it; the operating system should handle the security to prevent programs from seeing and/or tampering with something that it is not supposed to do, so that the communication between programs is prevented unless it is configured to allow it.
For the data format, I might use DER (or SDER for the fields that are not required to be in canonical form, since canonical form does not matter for all fields but for some it might matter).
(The implementation would prevent messages from being sent to or received from whoever it is not supposed to be allowed to do, by checking the permissions and/or by just blocking access, forwarding the messages to proxies that might modify and/or log them, etc; such things can potentially make the system more versatile.)
> This means that when "/usr/bin/firefox" sets a "passwords:superwebsite.com = animebooba", an app called "~/Downloads/totally_legit.sh" can not see ...
It will be interesting to see how it treats symlinks in this case. Or specifically, will this idea break completely for nixos or not.
Keychain ACLs on macOS use the codesigning requirement of the executable requesting the secret.
My guess is it will keep track of the PID
PID changes with every execution. How would it help when preserving configuration data?
I never took d-bus seriously because they said that when dbus was updated you could not just restart the dbus daemon, you were required to hard reboot.
> any app on the bus can read all secrets in the store if the store is unlocked
Holy shit. I knew conceptually that this was the case but never really took the time to consider the implications.
Pretty much whenever you unlock your keyring all your secrets are accessible by any software that can connect to the bus... How is this acceptable? Are we just supposed to run everything as Flatpak?
Funnily enough, my work macOS keychain maimed itself in such a way that I need to recreate it every time I install an OS update. Every time I recreate it, the OS spends a few minutes in a state where every application that needs access to the secrets store requests access through the keychain's password. Incredibly secure!
Turns out, that's every application, every few minutes, many of them multiple times. Applications like having access to things like refresh tokens so they can download your email, or discover passwords for offering autofill for a website.
I'd welcome many improvements to the Linux status quo, but applications not needing to ask before accessing the bus is the only reason it's usable in the first place.
keepassxc asks before giving out secrets
Most people disable that.
The reality is no one wants to be prompted everytime for a password. They want it to auto fill.
In complaining about this people are setting the boundary at the wrong place, and in proposing solutions assuming user behavior which doesn't exist (they will absolutely click "yes trust random application I'm busy move along now please").
I do not want to be prompted. I do perhaps want grades of secret access but even then thats asking a lot - do you want my SSH keys? Well yeah I probably want to give them to you some app which is automating things over SSH. It's 5 more versions before you get updates to ship them all to Russia or wherever after an author hand over.
Could this bus offer a dbus-compatibility 'firewall/translator' d-bus socket per each app (provided they use the d-bus environment variables correctly)? That might speed adoption if it is able to be a drop-in default, instead of needing to run 2 busses.
So everyone has wanted "year of the Linux desktop" for a while. This year, since Microsoft has decided to call open season on their own feet and Valve has taken a break from swimming in their money pool to make sure absolutely any piece of software ever written can run on Linux, it looks like this might actually be happening. I am seeing a massive influx of new users, driven by distros like Cachy, Nobara, Bazzite. A lot of them don't have previous Linux experience and are generally not the most technically savvy users.
This absolutely terrifies me. Linux desktop security is, to put it politely, nonexistant. And the culture that goes with Linux desktop users just makes things worse, there's still a lot of BOFH gatekeeping going on, laughing at the new users when they inevitably mess something up and worst of all, completely refusing to admit that the Linux desktop has security issues. Whenever a new user asks what antivirus they should run, they are usually met with derision and ridicule, because the (oldschool) Linux users genuinely think their computers are somehow immune and can never be hacked.
The first cybercriminals to put some development effort into Linux ransomware/stealers are going to wreak havoc and a lot of people are going to be in for a rude awakening. The D-Bus issue with secrets in the article is just one of many many many ways in which Linux desktops are insecure by design.
There are of course distros out there that take security seriously, but we are not really seeing new users migrating to Qubes en masse.
Edit: not calling out the distros above in particular, all 3 are doing very good work and are not really any worse in security than most other distros.
Any windows program you download can steal all your secrets too. The only operating systems that isolate programs by default are on phones (and chromebooks).
Unless you give it admin permissions, it really can't (admittedly, a lot of Windows users do run their computers with their admin account by default). Also, Windows users generally have at least some kind of anti-malware running, which, while not perfect, does work well against most spray-and-pray malware out there.
Edit: did some research, I must correct myself, the stealers have indeed evolved so admin permissions are not required for most credentials on Windows either.
However, should "strictly speaking, not really worse than Windows" be the security target we aim for in Linux?
All your data is owned by your user. If you run a program, it will have access to all your data. Admin or not is irrelevant here.
The keyring is pretty open on Windows, if you know the key you can request anything even if stored by another app. There is a way to lock a secret to a specific app but it's not properly enforced in most versions of Windows.
The only user data that would require admin privilege is that of sandboxed Windows Store applications where even the owner can't access it directly from outside the program and you have to be admin.
> An important part of adoption will probably be bindings to other languages. The libraries are all in C++, but since they aren't very big (by design), making Rust / Go / Python bindings shouldn't be hard for someone experienced with those languages.
If the the protocol is that clean, make a formal specification for it that can be used to generate client code.
A binding to C++ is definitely not what I want in my Go program.
While there is some valid criticism to be held against D-Bus and its implementations (there's more than one in common use), this article never goes there. It appears to be just an incoherent rambling of someone with poor understanding of how systems work together.
For a second, I thought this was about Deutche Bank's central markets messaging bus, also called D-Bus. So many memories...
I think this rant is more about Gnome than about dbus. Yes - there's a lot of Worse is better (https://en.wikipedia.org/wiki/Worse_is_better) design in there.
And yes the default and in particular the glib implementations are horrible. The sdbus implementation is way cleaner.
The claims about "everybody can call everything" are just wrong. There are bus policies and if you care you define them. That being said - the desktop people don't care. But that's not a problem of the dbus design.
Look at CORBA or DCOM. You don't really want that either.
As I understand it, systemctl uses D-Bus to send commands to systemd. I have read that systemd implemented their own D-Bus which is faster than stand-alone D-Bus.
So this gives me pause:
'Ever seen kwallet or gnome-keyring? Yeah, these things. These are supposed to be "secret storage" for things like signing keys, passwords, etc. They can be protected by a password, which means they are secure... right? No. No, they aren't. These secrets may be encrypted on disk, which technically prevents them from being stolen if your laptop is stolen. If you just cringed at that because disk encryption has been a thing for 20 years now or so, you're not alone. However, the best thing is this: any app on the bus can read all secrets in the store if the store is unlocked. No, this is not a #%&@ing joke. Once you input that password, any app can just read all of them without you noticing."
So, how does systemd ensure that D-Bus commands cannot originate from an unprivileged account?
Does systemd's D-Bus implementation use a different security architecture than stand-alone D-Bus?
I admit that I don't know anything about these mechanisms.
https://www.reddit.com/r/linux/comments/1lxd0hl/systemctl_vs...
systemd accepts commands from the system bus (i.e. the dbus instance running as uid 0). User desktops have their own session bus, which runs as the user.
Thanks, that makes sense.
Still, for user-level systemd, that means the bus is open to any binary running with the user's credentials.
This is not any worse than the risk of running ssh-agent, though.
polkit
Put OS calls on the bus. IMHO we need to add permissions to most user-space APIs so apps don't need to be sandboxed in a VM for security. Is this what SE Linux is? But I sometimes want permission to be granted by the user. For example, I don't want programs to be able to access files unless the user specifies the file - this might be through direct interaction with a GUI, or if we're really smart/tricky enabled if a filename comes on the command line typed by the user. I hope this makes sense, a way to gate system access via normal user input. Is this a reasonable possibility, or am I dreaming too big?
Could not MQTT form the base of a new desktop bus? At least one half of it. It does not specify everything, but would it not be good foundation?
MQTT solves the transport, which really isn't an issue. It solves nothing beyond that.
Sometimes I feel that it would be easy to just take parts of Android instead of reinventing the wheel.
> D-Bus was introduced by GNOME folks about 20 years ago. For software made only 20 years ago, as opposed to 40 like X, it's surprisingly almost equally as bad.
That's not a surprise. The author of systemd, for instance, is working for Microsoft. Suddenly all those changes to the Linux ecosystem make a lot of sense. It became a corporate commodity, from A to Z. And when that is your objective, it kind of makes sense to have a unified system, even if it is crap.
I'm vocal critic of microsoft but systemd/wayland was one of the best things to happen to linux. If you can improve upon it, then feel free to implement a better solution.
A solution to what? Aside from details of the implementation, one can also disagree with the framing of the problem and scope of the solution. Sure, we're free to implement an alternative solution for doing DNS resolution and IPC and logging and time synchronization and job scheduling and service monitoring and ... but should there be a single solution to all of these things at once?
All of the things you mention are interdependent, as resource and service management is the core of it all. I'm convinced that they set out to design somethign that has a scope which is as small as possible, but then noticed that interfacing with legacy-but-established open source software was extremely difficult.
I'm very thankful for systemd covering more and more bases because the "common" alternatives for many problems might be stable but they are often really bad to configure, maintain and debug - the ergonomics in non-default use cases have a lot of potential for improvement. And what can you do if the maintainer is not responsive to the kind of improvements you would need to make the software ready for the next decades? Many times I have forked things and tried to refactor their technical debt so a new feature can be implemented without making it an even bigger hack, and after that you just want to delete it all and start from scratch with a "proper" setup.
So I can understand the perspective of the systemd developers and the pain they had to go through simply on a technical level, not even thinking about the huge flamewars on mailing lists with some people.
Open source has big social dynamics, and a certain type of person is attracted to being "leader" or maintainer even though they are not as technical as I would wish them to be. I've had the painful experience with having to explain security vulnerabilities to some of them and my idealistic illusion of open source project governance received a good grounding in reality.
On top of this imo the documentation of systemd is really good.
Wherever they might be working now.. isn't really relevant to the project
> Lennart Poettering and Kay Sievers, the software engineers then working for Red Hat who initially developed systemd,[2] started a project to replace Linux's conventional System V init in 2010.[16]
https://en.wikipedia.org/wiki/Systemd#History
> Lennart Poettering and Kay Sievers, the software engineers then working for Red Hat who initially developed systemd
This is wrong, Kay Sievers was working for Novell/SuSE at that time, see https://0pointer.de/blog/projects/systemd.html#faqs
A note about this conversation. and your improvements has been added to the "talk" page - Can I recommend that you make the appropriate change to the actual page?
(Mostly because 1) I don't think that the talk page will be paid any attention during the next... millenia.. and 2) I think that you should make the change because you knew that it was incorrect, and have receipts)
> "Everyone has heard about D-Bus"
I have never heard of D-Bus until today.
I sympathize, but also, the XKCD about Standards comes to mind: https://xkcd.com/927/
> A lot of people quote this xkcd comic for each new implementation. However, this is not exactly the same.
Well... It is exactly the same.
DBUS -> Crappy COM
SystemD -> SVCHost.exe
Iproute 2 -> You like netsh.exe?
Gnome 3, 4 -> Windows 8 wannabe
Mono -> C# road building path
GConf -> Windows Registry; heck, dconf-editor and gconf-editor look really close.
Can't wait for MMC.exe and GPO editing under Gnome.
I was bracing for the proposed replacement being integrated in systemd.
which of them? :)
I was actually looking forward to bus1, such a nice design.
Instead, we are getting varlink it seems. yuk. "json json eggs bacon and json"
systemd-busdd (pronounced, "busted")
Written in Rust with an MIT license for good measure.
You mean this? https://rust-for-linux.com/android-binder-driver
I wouldn't hate it. I used to hate systemd, but today it's one of my favorite linux things.
It may soon happen. :)
systemd-bus 2.0
It already has one: Varlink ( https://varlink.org/ ). For pretty much the reasons outlined by the topic starter.
One more thing: D-Bus has the concept of generic services which can be automatically started, e.g. org.freedesktop.FileManager1. When you send a command to that service, the file manager will be started if it is not already running. However, there is no mechanism for the user to select which file manager to start, so if you happen to have both KDE and GNOME installed you have a 50:50 chance of launching dolphin or nautilus. See for example: https://unix.stackexchange.com/questions/778028/set-a-specif... . It truly boggles the mind.
D-Bus has no concept of generic services. People are using D-Bus to get automatic startup of generic services even though it's not fit for this purpose. It's quite a different thing.
You could build a viable solution on top of D-Bus though, it's just that apparently nobody bothered so far.
> Back when I was writing xdg-desktop-portal-hyprland
Ah, yes, XDG "portals". The reason file selection and screencasting is broken on every new Linux/Wayland installation I do, forcing me to try to understand the insane matrix of supported, half-supported, broken, and unsupported features by the dozen+ different implementations, and come up with the magic configuration incantation that makes it work on my system. Brilliant stuff. But it's secure!
> That is why, I've decided to take matters into my own hands. I am writing a new bus.
Oh, goody. The author quotes xkcd/927 as if anticipating the response, when it's exactly appropriate for this situation.
> For example, with wayland, when you switch, you abandon X. You cannot run an X11 session together with a wayland one, simply not how it works.
Huh? I use niri, and had to install both Xwayland and xwayland-satellite to get some of my apps working. I have no idea what either does, and even less interest in figuring it out, but it sure sounds like some X compatibility layer. Please tell me more about how much X, and now D-Bus, sucks.
I switched to Wayland a few months ago, and I'm happy that things mostly work now, but it seems that reinventing the wheel is the M.O. of developers in the Wayland community. Everyone is tired of everyone else's shit, has a superiority complex as evidenced by this ranty article, and has the urge to recreate literally every tool in the ecosystem that works for their own specific use case. Case in point: the dozens of tools that start with `hypr`. I guess we can add "tavern" now to that, whatever the fuck it is.
I'm tired of the state and direction of modern Linux. I wish I could use OpenBSD and leave this constant churn and bickering behind.
EDIT: Ah, it seems the author agrees with me: https://blog.vaxry.net/articles/2024-linuxInfighting
They're pointing out toxic behavior, favoring constructive criticism, and yet engage in the same behavior they're criticizing. Wild. How we ended up with these people as leaders in the Linux community is beyond me.
> An important part of actually advancing a product forward is to cooperate.
100%. Maybe they should heed their own wisdom.
Hmm, screencasting is finally working properly for me now. It was a loooong road...