this post was submitted on 15 Dec 2025
31 points (86.0% liked)

Linux

10605 readers
453 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
31
D-Bus is a disgrace to the Linux desktop (blog.vaxry.net)
submitted 20 hours ago by King@sh.itjust.works to c/linux@programming.dev
15 comments fedilink hide all child comments
top 15 comments
sorted by: hot top controversial new old
[–] ulterno@programming.dev 3 points 4 hours ago

vaxry talked about LD_PRELOAD and I feel like that is a non-issue in this case.
If an attacker has the ability to modify LD_PRELOAD of an application, they already an ability to modify its behaviour without depending upon what D-Bus may let it do.
And if the attacker can change LD_PRELOAD for a process running as root, they might as well affect the target service directly rather than try doing something with the dbus daemon.

[–] realitaetsverlust@piefed.zip 21 points 17 hours ago (1 children)

Honestly 80% of the article is ranting about developer not writing proper documentation or following specs which is not the fault of D-Bus. The only point that I agree with is the lack of security features, but that has never really been a thing back then. Half of the shit that was developed was completely insecure. Not saying that's a good thing btw. But that can be fixed.

[–] jrgd@lemmy.zip 8 points 13 hours ago* (last edited 13 hours ago) (2 children)

To be fair, D-Bus is a protocol. Proper documentation and standards is half of implementation. Without any well-defined standards, a protocol is essentially useless and/or lawless. While not every case of non-compliance is the fault of D-Bus, the general lax nature of how endpoints are intended to be defined as well as the incompleteness for the actual standards applications should adhere to is a significant factor for why many applications are the way they are. In addition to the severe security flaws in D-Bus, this could be written with extensions to the protocol, becoming a new standard. Though if the problems are as deeply rooted as they are, it's not entirely out of the question to create another standard that isn't D-Bus.

[–] ulterno@programming.dev 0 points 5 hours ago

severe security flaws in D-Bus

I searched for this and all I got was CVEs in the implementations.
What are the flaws in the protocol that I don't know of? If you can link it, I would love to read.

I recently started interacting with code that had something to do with D-Bus and from what I saw, there were policy files, which are required to do anything with D-Bus endpoints provided by software. That's essentially where I stopped, considering that to be the end-all for D-Bus security.

What am I missing?

[–] realitaetsverlust@piefed.zip 3 points 9 hours ago* (last edited 9 hours ago)

So, first of all, I barely ever had to work with d-bus directly - I used it a few times and it was fine to use.

Without any well-defined standards, a protocol is essentially useless and/or lawless

When I look for "D-Bus Specification", I get this: https://dbus.freedesktop.org/doc/dbus-specification.html. This LOOKS like a proper documentation of the standard to me.

the general lax nature of how endpoints are intended to be defined ... is a significant factor for why many applications are the way they are

I feel like this is the same complaint people have about other things, like PHP for example. They see shitty PHP code (like wordpress) and are like: "Oh my god PHP is such a shitty language because this application is written like shit". But I don't blame a language, a framework or a protocol for the failures of the users. I don't feel like an application that close to the system core has to be absolutely "dummy proof". At some point, we should just expect that people know what they're doing, and if they don't, we should blame them, not the underlying technology.

[–] mmmm@sopuli.xyz 12 points 18 hours ago (2 children)

I agree with some comments at HN about that proposing an alternative is kinda pointless. D-Bus, contrary to the X situation, can be fixed.

[–] jimmy90@lemmy.world 3 points 6 hours ago (1 children)

rewrite it in rust

should sort it out :D

[–] ulterno@programming.dev 0 points 5 hours ago

Might as well rewrite Shakespeare in Rust, while we are at it :P

[–] SwooshBakery624@programming.dev 1 points 13 hours ago

Reinventing the wheel won't help

The wheel is fundamentally broken. D-Bus is unfixable due to its core principles being terrible.

[–] SwooshBakery624@programming.dev 2 points 13 hours ago

Hyperbola has been pointing out problems with dbus for years.

Philosophy:Dbus_failure

[–] LiveLM@lemmy.zip 2 points 13 hours ago* (last edited 13 hours ago)

With each passing day Vaxry seems closer and closer to re-implementing the entire userland, I don't know how he avoids burning out...

[–] Deebster@infosec.pub 9 points 19 hours ago

This is quite interesting. I'd been looking into dbus lately and was confused by a few design choices so it makes sense to me that the design is faulty.

Running both simultaneously seems pretty feasible since the session bus bus should be quite lightweight (worse case would be a lot of inter-bus traffic if/when that gets implemented).

Security and kv are excellent features.

I feel it might have more luck gaining adoption if its name did t tie it to hyprland.

[–] jeena@piefed.jeena.net 6 points 19 hours ago

Back in 2014 at work we were using and extending dbus-proxy https://github.com/Pelagicore/dbus-proxy because of this weird problem of access rights with D-Bus.

[–] Samueru_sama@programming.dev 2 points 16 hours ago

Portals could have been much simpler like how xdg-open works.

I'm surprised it seems nobody has tried to write an alternative to portals that doesn't use dbus?

[–] it_depends_man@lemmy.world 2 points 18 hours ago

Sounds good, good luck to the dev!