If spawn_dbus_daemon() can fail for TEST_USER_ME, then we'd have to
go through all the tests adding the ability to skip tests after
it fails, which is a fairly extensive change.
The tests have historically all run as whatever uid is supplied, and
if the tests are being run as root for some reason - perhaps in a CI
framework for an embedded platform that doesn't have non-root users,
or in an environment where you can be root or non-root but not both -
there is no particular reason to skip them.
Unlike the initial mitigation for CVE-2014-8148, we now allow
uid 0 to call UpdateActivationEnvironment. There's no point in root
doing that, but there's also no reason why it's particularly bad -
if an attacker is uid 0 we've already lost - and it simplifies
use of this function for future things that do want to be callable
by root, like BecomeMonitor for #46787.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
We run each test twice:
* once with the system's session.conf, as an integration test
(test-cases that need a special configuration are automatically
skipped)
* once with our special test configuration files, which provide better
coverage
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
In the process, make test_kill_pid() safer: do not try to terminate
more than one pid, or the NULL handle.
Also stop leaking the address_fd in spawn_dbus_daemon, a pre-existing
bug that was spotted by Philip Withnall during review.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
This is for g_close(), which the next commit will use. It also lets us
rely on g_type_init() being a no-op (since 2.32 the type system is
always initialized by a global constructor).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
This fix is required to support at least ipv4 tcp support calling
_dbus_listen_tcp_socket() without family.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
pygobject 2 is obsolete and unmaintained, and anyway this is for
optional functionality (full regression test coverage) rather than
anything that will be needed in production builds.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85969
Otherwise, we get:
dbus/dbus-object-tree.c:323:1: error: 'find_subtree' defined but not used [-Werror=unused-function]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87837
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
These function calls are not a privilege escalation risk like
UpdateActivationEnvironment, but they might provide sensitive
information or be enhanced to provide sensitive information
in future, so the default system.conf locks them down to root-only.
Apply the same canonical-object-path hardening as for
UpdateActivationEnvironment.
We do not apply the uid check here because they are less dangerous
than UpdateActivationEnvironment, and because the ability to unlock
these function calls for specific uids is a documented configuration
for developers.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[added missing #include; extended commit message -smcv]
As with the previous commit, this is probably not actually privilege
escalation due to the use of an activation helper that cleans up its
environment, but let's be extra-careful here.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[adjusted commit message -smcv]
UpdateActivationEnvironment is the one dbus-daemon API call that is
obviously dangerous (it is intended for the session bus),
so the default system.conf does not allow anyone to call it.
It has recently come to the D-Bus maintainers' attention that some
system services incorrectly install D-Bus policy rules that allow
arbitrary method calls to any destination as long as they have a
"safe" object path. This is not actually safe: some system services
that use low-level D-Bus bindings like libdbus, including dbus-daemon
itself, provide the same API on all object paths.
Unauthorized calls to UpdateActivationEnvironment are probably just
resource consumption rather than privilege escalation, because on
the system bus, the modified environment is only used to execute
a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid
handling, and sanitizes its own environment before executing
the real service. However, it's safest to assume the worst and
treat it as a potential privilege escalation.
Accordingly, as a hardening measure to avoid privilege escalation on
systems with these faulty services, stop allowing calls to
("/com/example/Whatever",
"org.freedesktop.DBus.UpdateActivationEnvironment")
and only allow ("/org/freedesktop/DBus",
"org.freedesktop.DBus.UpdateActivationEnvironment").
We deliberately continue to provide read-only APIs like
GetConnectionUnixUser at all object paths, for backwards compatibility.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[adjusted commit message to note that this is probably only DoS -smcv]
