From 016c094b77b4c6610898b2a4bb7ed8e3f0c38ac2 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Thu, 12 Apr 2018 14:07:17 +0100
Subject: [PATCH 3/4] spec, dbus-daemon(1): Mention and deprecate shared
 session buses

This might (?) have made sense behind a firewall in 2003; but now it's
2018, the typical threat model that we are defending against has
changed from "vandals want to feel proud of their l33t skills"
to "organised crime wants your money", and a "trusted" local LAN
probably contains an obsolete phone, tablet, games console or
Internet-of-Things-enabled toaster with remote root exploits.
This make network topologies that used to be acceptable look
increasingly irresponsible.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 doc/dbus-daemon.1.xml.in   | 13 +++++++++++++
 doc/dbus-specification.xml | 13 +++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in
index fabe8a1b..f93b9a34 100644
--- a/doc/dbus-daemon.1.xml.in
+++ b/doc/dbus-daemon.1.xml.in
@@ -432,6 +432,19 @@ a transport name plus possible parameters/options.</para>
   <!-- TODO: Ideally someone would write a more formal guide to
        remote D-Bus debugging, and we could link to that instead -->
 </para>
+<para>
+  Remote TCP connections were historically sometimes used to share
+  a single session bus between login sessions of the same user on
+  different machines within a trusted local area network, in
+  conjunction with unencrypted remote X11, a NFS-shared home
+  directory and NIS (YP) authentication. This is insecure against
+  an attacker on the same LAN and should be considered strongly
+  deprecated; more specifically, it is insecure in the same ways
+  and for the same reasons as unencrypted remote X11 and NFSv2/NFSv3.
+  The D-Bus maintainers
+  recommend using a separate session bus per (user, machine) pair,
+  only accessible from within that machine.
+</para>
 
 <para>Example: &lt;listen&gt;unix:path=/tmp/foo&lt;/listen&gt;</para>
 
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
index 3e02c0b7..1b8ff635 100644
--- a/doc/dbus-specification.xml
+++ b/doc/dbus-specification.xml
@@ -3746,6 +3746,19 @@
         <!-- TODO: Ideally someone would write a more formal guide to
              remote D-Bus debugging, and we could link to that instead -->
       </para>
+      <para>
+        Remote TCP connections were historically sometimes used to share
+        a single session bus between login sessions of the same user on
+        different machines within a trusted local area network, in
+        conjunction with unencrypted remote X11, a NFS-shared home
+        directory and NIS (YP) authentication. This is insecure against
+        an attacker on the same LAN and should be considered strongly
+        deprecated; more specifically, it is insecure in the same ways
+        and for the same reasons as unencrypted remote X11 and NFSv2/NFSv3.
+        The D-Bus maintainers
+        recommend using a separate session bus per (user, machine) pair,
+        only accessible from within that machine.
+      </para>
       <para>
         All <literal>tcp</literal> addresses are listenable.
         <literal>tcp</literal> addresses in which both
-- 
2.17.0