Security hardening: force EXTERNAL auth in session.conf on Unix

DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e. indirectly dependent on high-quality pseudo-random numbers whereas EXTERNAL authentication (credentials-passing) is mediated by the kernel and cannot be faked. On Windows, EXTERNAL authentication is not available, so we continue to use the hard-coded default (all authentication mechanisms are tried). Users of tcp: or nonce-tcp: on Unix will have to comment this out, but they would have had to use a special configuration anyway (to set the listening address), and the tcp: and nonce-tcp: transports are inherently insecure unless special steps are taken to have them restricted to a VPN or SSH tunnelling. Users of obscure Unix platforms (those that trigger the warning "Socket credentials not supported on this Unix OS" when compiling dbus-sysdeps-unix.c) might also have to comment this out, or preferably provide a tested patch to enable credentials-passing on that OS. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414 Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
2026-05-01 04:28:01 +02:00 · 2015-05-12 11:10:58 +01:00 · 2015-05-12 11:10:58 +01:00 · 084977cfe2
commit 084977cfe2
parent 954371eea2
3 changed files with 21 additions and 0 deletions
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@ -14,6 +14,16 @@

  <listen>@DBUS_SESSION_BUS_LISTEN_ADDRESS@</listen>

+  <!-- On Unix systems, the most secure authentication mechanism is
+  EXTERNAL, which uses credential-passing over Unix sockets.
+
+  This authentication mechanism is not available on Windows,
+  is not suitable for use with the tcp: or nonce-tcp: transports,
+  and will not work on obscure flavours of Unix that do not have
+  a supported credentials-passing mechanism. On those platforms/transports,
+  comment out the <auth> element to allow fallback to DBUS_COOKIE_SHA1. -->
+  @DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL@
+
  <standard_session_servicedirs />

  <policy context="default">
--- a/cmake/CMakeLists.txt
+++ b/cmake/CMakeLists.txt
@ -452,6 +452,7 @@ if (WIN32)
  # bus-test expects a non empty string
  set (DBUS_USER "Administrator")
  set (DBUS_TEST_USER "guest")
+  set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<!--<auth>EXTERNAL</auth>-->")
 else (WIN32)
  set (DBUS_SESSION_BUS_LISTEN_ADDRESS "unix:tmpdir=${DBUS_SESSION_SOCKET_DIR}" CACHE STRING "session bus default listening address")
  set (DBUS_SESSION_BUS_CONNECT_ADDRESS "autolaunch:" CACHE STRING "session bus fallback address for clients")
@ -461,6 +462,9 @@ else (WIN32)
  set (DBUS_SESSION_CONFIG_FILE ${configdir}/session.conf)
  set (DBUS_USER "messagebus")
  set (DBUS_TEST_USER "nobody")
+  # For best security, assume that all non-Windows platforms can do
+  # credentials-passing.
+  set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<auth>EXTERNAL</auth>")
 endif (WIN32)

 set (DBUS_DAEMON_NAME "dbus-daemon" CACHE STRING "The name of the dbus daemon executable")
--- a/configure.ac
+++ b/configure.ac
@ -134,6 +134,13 @@ if test "$dbus_cygwin" = yes; then
    AC_DEFINE(DBUS_CYGWIN,1,[Defined if we run on a cygwin API based system])
 fi

+# For best security, assume that all non-Windows platforms can do
+# credentials-passing.
+AS_IF([test "$dbus_win" = yes],
+    [DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<!--<auth>EXTERNAL</auth>-->"],
+    [DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<auth>EXTERNAL</auth>"])
+AC_SUBST([DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL])
+
 AM_CONDITIONAL(DBUS_WIN, test "$dbus_win" = yes)
 AM_CONDITIONAL(DBUS_WINCE, test "$dbus_wince" = yes)
 AM_CONDITIONAL(DBUS_UNIX, test "$dbus_unix" = yes)