| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How it should work:
When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.
However, it does not work as expected:
1. The error message is delivered to the service instead of being delivered to
the sender. As an example, the error message could be something like:
An SELinux policy prevents this sender from sending this
message to this recipient, [...] member="MaliciousMethod"
If the sender and the service are malicious confederates and agree on a
protocol to insert information in the member name, the sender can leak
information to the service, even though the LSM attempted to block the
communication between the sender and the service.
2. The error message is delivered as a reply to the RequestName call from
service. It means the activated service will believe it cannot request the
name and might exit. The sender could activate the service frequently and
systemd will give up activating it. Thus the denial of service.
The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
(and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
is pre-allocated to be delivered to the client as part of the transaction.
The error is not propagated to the caller so RequestName will not fail
(except on OOM).
[fixed a misleading comment -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
Backported: to dbus-1.2, whitespace conflicts in bus/activation.c
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, the tests try to connect to the real system bus, which will
often fail - particularly if you run the tests configured for the default
/usr/local (with no intention of installing the result), in which case
the tests would try to connect to /usr/local/var/run/dbus/system_bus_socket.
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=52202
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix for CVE-2012-3524 filters out all environment variables if
libdbus is used from a setuid program, to prevent various spoofing
attacks.
Unfortunately, the activation helper is a setuid program linking
libdbus, and this creates a regression for launched programs using
DBUS_STARTER_ADDRESS, since it will no longer exist.
Fix this by hardcoding the starter address to the default system bus
address.
Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com>
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
|
|
|
| |
It's not really useful.
See https://bugs.freedesktop.org/show_bug.cgi?id=52202#c17
Conflicts:
bus/activation-helper.c
|
|
|
|
|
|
|
|
|
| |
This is a highly theoretical concern, but we might as well.
https://bugs.freedesktop.org/show_bug.cgi?id=52202
Conflicts:
dbus/dbus-sysdeps-pthread.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This matches a corresponding change in GLib. See
glib/gutils.c:g_check_setuid().
Some programs attempt to use libdbus when setuid; notably the X.org
server is shipped in such a configuration. libdbus never had an
explicit policy about its use in setuid programs.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
How to determine whether or not we're running in a privilege-escalated
path is operating system specific. Note that GTK+'s code to check
euid versus uid worked historically on Unix, more modern systems have
filesystem capabilities and SELinux domain transitions, neither of
which are captured by the uid comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
[backported to 1.2 -smcv]
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
struct member
This has been wrong approximately forever, for instance see:
http://lists.freedesktop.org/archives/dbus/2007-March/007357.html
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38120
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629938
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Backported: from dbus-1.4, c3223ba6c401ba81df1305851312a47c485e6cd7
|
|
|
|
| |
compilation
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add DBUS_INVALID_NESTED_TOO_DEEPLY validity problem and a test that
should generate it.
Previously, we rejected deep nesting in the signature, but
variants allow dynamic message nesting, conditional only
on the depth of the message body.
The nesting limit is 64, which was also the limit in static
signatures. Empirically, dynamic nesting depth observed on my
Fedora 14 system doesn't exceed 2; 64 is really a huge limit.
https://bugs.freedesktop.org/show_bug.cgi?id=32321
Signed-Off-By: Colin Walters <walters@verbum.org>
Signed-off-by: Will Thompson <will.thompson@collabora.co.uk>
Conflicts:
dbus/dbus-marshal-validate.h
|
| |
|
|
|
|
|
|
|
|
| |
See https://bugzilla.redhat.com/show_bug.cgi?id=521797
We have two init scripts, and commit 05283235632bc8891aaa3047563cb4
patched the "wrong" (i.e. slackware) one. Patch one that ships
with real operating systems too.
|
|
|
|
|
|
|
| |
This helps to avoid 'Address already in use' problems if server has been shut
down, and then restarted while sockets are still active on its port.
Signed-off-by: Steffen Sledz <sledz@dresearch.de>
|
|
|
|
| |
This is needed for the libxml parser backend.
|
|
|
|
|
|
|
|
|
| |
Since the connection lock is released for a short while in
_dbus_connection_acquire_io_path there can already be a method return
received by another thread. The fix is to do an extra check after the
I/O path has been aquired both.
Approved-by: Thiago Macieira
|
|
|
|
|
|
|
|
|
|
|
| |
num_fds is the number of elements of dirs currently in use. This bug
meant that encountering a previously un-watched directory would cause j
to increment forever, and so dirs[j] would eventually segfault.
(I've checked the corresponding code for inotify, and it's correct. I
wonder if some of the duplication could be eliminated.)
Thanks to Pablo Martí Gamboa <pmarti@warp.es> for reporting this issue!
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Really we don't have any interesting cleanup to do, so just
let the process die.
https://bugs.freedesktop.org/show_bug.cgi?id=26303
|
|
|
|
|
|
|
| |
There were already defines for formatting pids and uids, so use those.
In the case where we don't have a format specifier for 64 bit, print
(omitted) in dbus-monitor.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=19195
We were previously using -Wno-format because we didn't have
a #define for DBUS_INT64_MODIFIER, which was really lame because
it easily hid problems.
For now, just define it if we're on glibc; this is obviously
not strictly correct but it's safe, because the formatting
is only used in DBUS_VERBOSE mode, and in tools/dbus-monitor.
Ideally we get the the glib code relicensed.
|
|
|
|
| |
Otherwise we don't get GCC warnings.
|
| |
|
|
|
|
|
|
|
|
| |
Previously, if a method call activated a service, it would only be
delivered to that service, and not to other services with match rules
which should match. This patch replaces the improperly-duplicated
dispatch code in activation.c with a call back into the normal dispatch
code, fixing this bug (fd.o#26427).
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This test, while extensive, has the serious flaw of effectively
spinning on _dbus_connection_do_iteration_unlocked. Any tests
like this should be using the internal DBus mainloop, which
I don't have time to port it to before doing a release.
|
|
|
|
|
|
| |
Basically honor the no_reply flag; a binding is likely to want to
set this so it doesn't have to process extra traffic for match
rules.
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=572769
Previously we'd just continue if AVC initialization failed, but
that didn't really work because then we'd later crash in
avc_has_perm.
Simply treat initialization failures as fatal, and hopefully we
can get data from the system log.
|
|
|
|
|
|
|
|
|
| |
Previously we were simply logging as "dbus", and it was unclear
whether it was the system bus, or a session bus. And if the latter,
which user?
This patch adds a prefix to the log message with the bus type
and the userid.
|
|
|
|
| |
Convert the credentials to a string; useful for logging.
|
|
|
|
|
| |
This severity is useful for when we encounter a fatal problem; we
get a log message out, then exit.
|
|
|
|
|
| |
In preparation for a future patch which introduces a fatal logging level,
don't duplicate the API here.
|
|
|
|
|
|
| |
read() returns a signed value, whereas the byte count is unsigned.
Signed-off-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
|
|
| |
http://bugs.freedesktop.org/show_bug.cgi?id=12953
Wait for memory if we can't init the string.
Based on an original patch by Kimmo Hämäläinen <kimmo.hamalainen@nokia.com>
|
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=9486
When describing DBUS_COOKIE_SHA1, specify that lower-case hex encoding
must be used.
|
|
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=23957
Previously we detected glibc support at compile time and used
it unconditionally; better to try it and fall back, this way
we continue to run on older kernels when compiled for newer ones.
|
|
|
|
| |
Signed-off-by: Thiago Macieira <thiago@kde.org>
|
|
|
|
|
|
| |
By rough consensus, and to keep up with the cool kids.
Note to builders: you need to use V=1 to enable verbose mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://lists.freedesktop.org/archives/dbus/2010-March/012337.html
Previously, the watch handler would block until the I/O path was available.
However, if another non-main thread was doing a synchronous call, this would
cause the main thread to block on that thread, a highly undesirable
thing because it's important for the main thread to remain responsive
for user interfaces.
Signed-off-by: Colin Walters <walters@verbum.org>
Signed-off-by: Thiago Macieira <thiago@kde.org>
|