diff options
| author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-11-24 13:05:09 +0000 |
|---|---|---|
| committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2014-11-24 13:05:09 +0000 |
| commit | 2bc75daa2c4ae11d038b1ce576ef2ca63f26fb19 (patch) | |
| tree | bd2d28369b4e42618974fac44d16cacbc220549b | |
| parent | 1f1649eadaabd61e1b5a38516ac6c3e72e36ef44 (diff) | |
| parent | 4afb7a7412bee7934e532cd33ed10634314c247f (diff) | |
| download | dbus-2bc75daa2c4ae11d038b1ce576ef2ca63f26fb19.tar.gz | |
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
| -rw-r--r-- | NEWS | 18 | ||||
| -rw-r--r-- | bus/config-parser.c | 2 | ||||
| -rw-r--r-- | bus/connection.c | 8 |
3 files changed, 27 insertions, 1 deletions
@@ -3,6 +3,24 @@ D-Bus 1.9.4 (UNRELEASED) Fixes: +• Partially revert the CVE-2014-3639 patch by increasing the default + authentication timeout on the system bus from 5 seconds back to 30 + seconds, since this has been reported to cause boot regressions for + some users, mostly with parallel boot (systemd) on slower hardware. + + On fast systems where local users are considered particularly hostile, + administrators can return to the 5 second timeout (or any other value + in milliseconds) by saving this as /etc/dbus-1/system-local.conf: + + <busconfig> + <limit name="auth_timeout">5000</limit> + </busconfig> + + (fd.o #86431, Simon McVittie) + +• Add a message in syslog/the Journal when the auth_timeout is exceeded + (fd.o #86431, Simon McVittie) + • Send back an AccessDenied error if the addressed recipient is not allowed to receive a message (and in builds with assertions enabled, don't assert under the same conditions). (fd.o #86194, Jacek Bukarewicz) diff --git a/bus/config-parser.c b/bus/config-parser.c index 7bc9c019..ee2d4e7d 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir, * and legitimate auth will fail. If interactive auth (ask user for * password) is allowed, then potentially it has to be quite long. */ - parser->limits.auth_timeout = 5000; /* 5 seconds */ + parser->limits.auth_timeout = 30000; /* 30 seconds */ /* Do not allow a fd to stay forever in dbus-daemon * https://bugs.freedesktop.org/show_bug.cgi?id=80559 diff --git a/bus/connection.c b/bus/connection.c index 0df8a3a8..3d8a5fae 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -860,6 +860,14 @@ bus_connections_expire_incomplete (BusConnections *connections) if (elapsed >= (double) auth_timeout) { + /* Unfortunately, we can't identify the connection: it doesn't + * have a unique name yet, we don't know its uid/pid yet, + * and so on. */ + bus_context_log (connections->context, DBUS_SYSTEM_LOG_INFO, + "Connection has not authenticated soon enough, closing it " + "(auth_timeout=%dms, elapsed: %.0fms)", + auth_timeout, elapsed); + _dbus_verbose ("Timing out authentication for connection %p\n", connection); dbus_connection_close (connection); } |