From 544d679c2796602ff277e78e238abd56d30ad633 Mon Sep 17 00:00:00 2001
From: Gilles Dartiguelongue <eva@gentoo.org>
Date: Mon, 14 Dec 2009 20:37:58 +0100
Subject: [PATCH 3/4] Gentoo: fix CVE-2008-4311

commit fd648907e46017d46c367f59c62d0b0395830903
Author: Simon McVittie <http://smcv.pseudorandom.co.uk/>
Date:   2009-01-04 19:35:51 +0000

    Allow root to send messages to all the system tools backends, so
    they work even when CVE-2008-4311 has been fixed.

    Also disallow normal user access by destination, not by
    interface (fd.o #18961).
---
 org.freedesktop.SystemToolsBackends.conf |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/org.freedesktop.SystemToolsBackends.conf b/org.freedesktop.SystemToolsBackends.conf
index 58972ee..537ef73 100644
--- a/org.freedesktop.SystemToolsBackends.conf
+++ b/org.freedesktop.SystemToolsBackends.conf
@@ -22,8 +22,10 @@
     <allow send_interface="org.freedesktop.SystemToolsBackends.Platform" send_member="getPlatform"/>
     -->
 
-    <!-- Only allow talking to the dispatcher -->
-    <allow send_destination="org.freedesktop.SystemToolsBackends"/>
+    <!-- configuration modules can't be accessed directly... -->
+    <deny send_destination="org.freedesktop.SystemToolsBackends"/>
+    <deny send_destination="org.freedesktop.SystemToolsBackends.Platform"/>
+    <deny send_destination="org.freedesktop.SystemToolsBackends"/>
   </policy>
 
   <policy user="0">
@@ -45,8 +47,6 @@
 
     <!-- be able to speak to configuration modules,
          so any message to them has to go through the dispatcher -->
-    <allow send_interface="org.freedesktop.SystemToolsBackends"/>
-    <allow send_interface="org.freedesktop.SystemToolsBackends.Platform"/>
     <allow send_destination="org.freedesktop.SystemToolsBackends"/>
     <allow send_destination="org.freedesktop.SystemToolsBackends.Platform"/>
     <allow send_destination="org.freedesktop.SystemToolsBackends.GroupsConfig"/>
-- 
1.6.5.4