From 457b5b904d87d05e6fc0e2505e544dc366861cd2 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 12 Apr 2018 14:07:17 +0100
Subject: [PATCH 7/9] spec, dbus-daemon(1): Mention and deprecate shared
 session buses

This might (?) have made sense behind a firewall in 2003; but now it's
2018, the typical threat model that we are defending against has
changed from "vandals want to feel proud of their l33t skills"
to "organised crime wants your money", and a "trusted" local LAN
probably contains an obsolete phone, tablet, games console or
Internet-of-Things-enabled toaster with remote root exploits.
This make network topologies that used to be acceptable look
increasingly irresponsible.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 doc/dbus-daemon.1.xml.in   | 12 ++++++++++++
 doc/dbus-specification.xml | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index 4bafaeae..29f8c259 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -423,6 +423,18 @@ a transport name plus possible parameters/options.</para>
     url="https://lists.freedesktop.org/archives/dbus/2018-April/017447.html"
     >relay connections via Secure Shell or a similar protocol</ulink>.
 </para>
+<para>
+  Remote TCP connections were historically sometimes used to share
+  a single session bus between login sessions of the same user on
+  different machines within a trusted local area network, in
+  conjunction with unencrypted remote X11, a NFS-shared home
+  directory and NIS (YP) authentication. This is insecure against
+  an attacker on the same LAN, in the same ways as unencrypted
+  remote X11 and NFSv2/NFSv3 and for the same reasons, and should
+  be considered strongly deprecated. The D-Bus maintainers
+  recommend using a separate session bus per (user, machine) pair,
+  only accessible from within that machine.
+</para>
 
 <para>Example: &lt;listen&gt;unix:path=/tmp/foo&lt;/listen&gt;</para>
 
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index fa285323..37437170 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -3741,6 +3741,18 @@
           url="https://lists.freedesktop.org/archives/dbus/2018-April/017447.html"
           >relay connections via Secure Shell or a similar protocol</ulink>.
       </para>
+      <para>
+        Remote TCP connections were historically sometimes used to share
+        a single session bus between login sessions of the same user on
+        different machines within a trusted local area network, in
+        conjunction with unencrypted remote X11, a NFS-shared home
+        directory and NIS (YP) authentication. This is insecure against
+        an attacker on the same LAN, in the same ways as unencrypted
+        remote X11 and NFSv2/NFSv3 and for the same reasons, and should
+        be considered strongly deprecated. The D-Bus maintainers
+        recommend using a separate session bus per (user, machine) pair,
+        only accessible from within that machine.
+      </para>
       <para>
         All <literal>tcp</literal> addresses are listenable.
         <literal>tcp</literal> addresses in which both
-- 
2.17.0