security implications of /var/lib/dbus/machine-id. Thoughts?
by gus3 from LinuxQuestions.org on (#4VX13)
The latest Devuan release has this little tidbit in the release notes:
Quote:
With further explanation at https://git.devuan.org/devuan-packag...e102bd225a511e :
Quote:
This makes machine-id unique to each running instance of the OS on the machine.
I can't vouch for any security implications, as I don't know how one could "spoof" a D-Bus machine-id remotely. But looking through the Slackware init scripts, it would be pretty easy to mimic Devuan's new behavior, simply by deleting /var/lib/dbus/machine-id, after stopping D-Bus, in rc.6 and rc.0:
Code:# Stop D-Bus:
if [ -x /etc/rc.d/rc.messagebus ]; then
/etc/rc.d/rc.messagebus stop
rm -f /var/lib/dbus/machine-id
fiOn the next boot, rc.messagebus will automatically re-create it, with a new ID.
Quote:
| dbus patch to generate new dbus machine-id on boot. This behavior is configurable in /etc/default/dbus |
Quote:
| In theory, the machine-id should be a persistent identifier of the current host. In practice, this causes some privacy concerns. As a consequence, in Devuan the dbus machine-id is recreated at each boot. |
I can't vouch for any security implications, as I don't know how one could "spoof" a D-Bus machine-id remotely. But looking through the Slackware init scripts, it would be pretty easy to mimic Devuan's new behavior, simply by deleting /var/lib/dbus/machine-id, after stopping D-Bus, in rc.6 and rc.0:
Code:# Stop D-Bus:
if [ -x /etc/rc.d/rc.messagebus ]; then
/etc/rc.d/rc.messagebus stop
rm -f /var/lib/dbus/machine-id
fiOn the next boot, rc.messagebus will automatically re-create it, with a new ID.