Ubuntu
tcmu package

  1. Bug #1854362
  2. Comment #57

Comment 57 for bug 1854362

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

For the tcmu DBUS fix:

"""
- The dbus policy allows all users to call
    org.kernel.TCMUService1.HandlerManager1.RegisterHandler, which doesn't seem
    desirable. I don't think there is a direct security impact from this, as
    external handlers need to be privileged in order to own the type-specific
    well-known name on the system bus, and the call will return an error if
    called before that name is owned. But I think this should only be callable
    as the root user.
"""

I'm not taking action as we should wait upstream to take action on:

https://github.com/open-iscsi/tcmu-runner/issues/582

and, if there isn't a direct security impact I think it would be ok for the MIR to continue despite this change.

With that in mind:

I: tcmu
    [.] MIR ack
    [.] Security ack - dbus fix orthogonal (upstream bug)

    - https://github.com/open-iscsi/tcmu-runner/issues/582

There is nothing else to be done here but to wait Debian to accept my merge proposals. I'll keep this updated based on salsa MR discussions (if any).

-rafaeldtinoco