| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How it should work:
When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.
However, it does not work as expected:
1. The error message is delivered to the service instead of being delivered to
the sender. As an example, the error message could be something like:
An SELinux policy prevents this sender from sending this
message to this recipient, [...] member="MaliciousMethod"
If the sender and the service are malicious confederates and agree on a
protocol to insert information in the member name, the sender can leak
information to the service, even though the LSM attempted to block the
communication between the sender and the service.
2. The error message is delivered as a reply to the RequestName call from
service. It means the activated service will believe it cannot request the
name and might exit. The sender could activate the service frequently and
systemd will give up activating it. Thus the denial of service.
The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
(and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
is pre-allocated to be delivered to the client as part of the transaction.
The error is not propagated to the caller so RequestName will not fail
(except on OOM).
[fixed a misleading comment -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
During distcheck, the srcdir is read-only. During "make all", cp may
preserve the read-only status of the file copied from the srcdir,
resulting in failure to overwrite it with an identical file during
"make check" (which depends on all-local).
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
| |
Reviewed-by: Thiago Macieira <thiago@kde.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using a va_list more than once is non-portable: it happens to work
under the ABI of (for instance) x86 Linux, but not x86-64 Linux.
This led to _dbus_printf_string_upper_bound() crashing if it should
have returned exactly 1024 bytes. Many system services can be induced
to process a caller-controlled string in ways that
end up using _dbus_printf_string_upper_bound(), so this is a denial of
service.
Reviewed-by: Thiago Macieira <thiago@kde.org>
|
| |
|
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=56927
[commit message added -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
Otherwise, the tests try to connect to the real system bus, which will
often fail - particularly if you run the tests configured for the default
/usr/local (with no intention of installing the result), in which case
the tests would try to connect to /usr/local/var/run/dbus/system_bus_socket.
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=52202
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix for CVE-2012-3524 filters out all environment variables if
libdbus is used from a setuid program, to prevent various spoofing
attacks.
Unfortunately, the activation helper is a setuid program linking
libdbus, and this creates a regression for launched programs using
DBUS_STARTER_ADDRESS, since it will no longer exist.
Fix this by hardcoding the starter address to the default system bus
address.
Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com>
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
|
|
|
| |
It's not really useful.
See https://bugs.freedesktop.org/show_bug.cgi?id=52202#c17
Conflicts:
bus/activation-helper.c
|
|
|
|
|
|
|
|
|
| |
This is a highly theoretical concern, but we might as well.
https://bugs.freedesktop.org/show_bug.cgi?id=52202
Conflicts:
dbus/dbus-sysdeps-pthread.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This matches a corresponding change in GLib. See
glib/gutils.c:g_check_setuid().
Some programs attempt to use libdbus when setuid; notably the X.org
server is shipped in such a configuration. libdbus never had an
explicit policy about its use in setuid programs.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
How to determine whether or not we're running in a privilege-escalated
path is operating system specific. Note that GTK+'s code to check
euid versus uid worked historically on Unix, more modern systems have
filesystem capabilities and SELinux domain transitions, neither of
which are captured by the uid comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Colin Walters <walters@verbum.org>
Conflicts:
dbus/dbus-sysdeps-unix.c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
$(INSTALL) and $(INSTALL_DATA) try to change ownerships to root:bin when
copying tests to builddir. Presumably this is a difference in behaviour
between GNU and BSD install(1): the one in GNU coreutils doesn't try-and-fail
to change ownership if you're not root.
[Commit message added by smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=48127
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When libdbus-1 moved to using monotonic time support for the
DBUS_COOKIE_SHA1 authentication was broken, in particular
interoperability with non-libdbus-1 implementations such as GDBus.
The problem is that if monotonic clocks are available in the OS,
_dbus_get_current_time() will not return the number of seconds since
the Epoch so using it for DBUS_COOKIE_SHA1 will violate the D-Bus
specification. If both peers are using libdbus-1 it's not a problem
since both ends will use the wrong time and thus agree. However, if
the other end is another implementation and following the spec it will
not work.
First, we change _dbus_get_current_time() back so it always returns
time since the Epoch and we then rename it _dbus_get_real_time() to
make this clear. We then introduce _dbus_get_monotonic_time() and
carefully make all current users of _dbus_get_current_time() use it,
if applicable. During this audit, one of the callers,
_dbus_generate_uuid(), was currently using monotonic time but it was
decided to make it use real time instead.
Signed-off-by: David Zeuthen <davidz@redhat.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=48580
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
In mingw-w64 both ESOMETHING and WSASOMETHING are defined,
leading to a duplicate case in the switch.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=47321
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
g_thread_init() is deprecated since glib 2.24, call g_type_init() instead.
Bump glib requirement accordingly.
g_thread_create is deprecated since 2.31, use g_thread_new() instead. When
building with a glib earlier than 2.31, provide a backwards compatibility shim.
[Added a comment about why we're using g_type_init() in a test that
doesn't otherwise use GObject -smcv]
[Applied to 1.4 despite just being a deprecation fix because it also fixes
linking with GLib 2.32, in which gthread has been removed from gobject's
Requires and moved to Requires.private, Debian #665665 -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=44413
Bug-Debian: http://bugs.debian.org/665665
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33840
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
C++11 compilers have a feature called 'user-defined string literals' which
allow arbitrary string suffixes to have user-defined meaning.
This makes code that concatenates macros with string literals without
intervening whitespace illegal under C++11. Fortunately, string literal
concatenation has allowed intervening whitespace since the dawn of time,
so the solution is to simply pad with spaces.
Tested (header) with GCC 4.7 (trunk).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46147
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
mechanisms
Previously, only one auth mechanism was used.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=45106
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
| |
auth mechanisms"
This reverts commit 26b57efe43c991616186db5c499f729a900c6544.
It was incorrectly attributed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
man2html expects to find its input on stdin, so just passing the
filename will cause it to hang waiting for input.
[man2html 1.6g as shipped in Debian seems to be fine with files on the
command line, but apparently other versions aren't? -smcv]
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=43875
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=44413
|
|
|
|
| |
This completes the reversion started in 5df8c3db12590edd68e968.
|
| |
|
|
|
|
|
|
|
|
|
| |
mechanisms
Previously, only one auth mechanism was used.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=45106
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
| |
This would now just attempt to close fd -1, which is useless.
[commit message added by smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=37258
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
| |
Someone seems to have merged part of master into 1.4. Again. Let's go
back to the "last known good" point (the branch-point of some 1.4
branches I had locally), then we can cherry-pick the changes that
should have gone in.
|
| |
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38201
|
|
|
|
| |
service file
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| | |
With this key we can specifiy the default session bus address
at compile time with autotool builds made with mingw32.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=43639
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We don't really need g_socket_send_with_blocking here.
Also, don't leak the GLib socket objects.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=41219
Reviewed-by: Lennart Poettering <lennart@poettering.net>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This avoids spamming ~/.dbus and ~/.dbus-keyrings with filesystem activity
while running the tests.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=41218
Reviewed-by: Lennart Poettering <lennart@poettering.net>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If getaddrinfo (with port == 0) succeeds, the kernel gives us a port when
we first listen on a socket, we jump back to redo_lookup_with_port,
and getaddrinfo (with the nonzero port) fails, we leak listen_fd and all
the fds in it.
From the department of "without static analysis we'd never have spotted
this", or possibly "backward goto considered harmful".
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=29881
Bug-NB: NB#180486 CID-2389
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| |/ |
|