fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-03-23 19:00:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
dbus/dbus
History
Simon McVittie 2a11ab9bbd auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner 
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.

Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.

Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.

This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:

* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
  in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart

Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
Closes: CVE-2019-12749
2019-06-09 13:08:22 +01:00
..
.gitignore .gitignore: Ignore many more generated files 2018-12-14 13:28:50 +00:00
CMakeLists.txt Fixes remaining indentations that are not covered by the cmake formatting script in CMakeLists.txt files 2019-01-24 09:08:15 +01:00
dbus-address.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-address.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-arch-deps.h.in Remove support for platforms with no 64-bit integer type 2013-09-16 15:31:02 +01:00
dbus-asv-util.c Add _dbus_asv_add_fixed_array 2019-03-25 21:04:21 +01:00
dbus-asv-util.h Add _dbus_asv_add_fixed_array 2019-03-25 21:04:21 +01:00
dbus-auth.c auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner 2019-06-09 13:08:22 +01:00
dbus-auth.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-bus.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-bus.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-connection-internal.h test: Move _dbus_transport_unix_test() here 2019-01-21 15:22:07 +00:00
dbus-connection.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-connection.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-credentials.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-credentials.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-dataslot.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-dataslot.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-errors.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-errors.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-file-unix.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-file-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-file.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-file.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-hash.c test: Unembed hash test from libdbus and move it into test/ 2019-01-21 15:20:06 +00:00
dbus-hash.h test: Unembed hash test from libdbus and move it into test/ 2019-01-21 15:20:06 +00:00
dbus-init-win.cpp dbus_threads_init_default, dbus_threads_init: be safe to call at any time 2013-05-10 11:35:08 +01:00
dbus-internals.c test-spawn-oom: Separate single spawn tests from oom related 2019-03-15 17:06:01 +00:00
dbus-internals.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-keyring.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-keyring.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-list.c test: Move _dbus_list_test() here 2019-01-21 15:22:07 +00:00
dbus-list.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-macros.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-mainloop.c Rename structure DBusSocketSet to DBusPollableSet and adjust the corresponding functions/files 2019-01-09 15:20:19 +01:00
dbus-mainloop.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-marshal-basic.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-marshal-basic.h Don't cast user-supplied pointers to DBusBasicValue * 2018-12-11 12:23:06 +00:00
dbus-marshal-byteswap.c Fix warning: "pointer targets in assignment differ in signedness [-Wpointer-sign]". 2015-11-24 12:26:00 +01:00
dbus-marshal-byteswap.h Add DBUS_PRIVATE_EXPORT decoration to symbols used by dbus-daemon or tests 2015-02-20 20:49:36 +00:00
dbus-marshal-header.c DBusMessage: Add a header field for the container instance 2018-02-16 15:27:37 +00:00
dbus-marshal-header.h _dbus_message_remove_unknown_fields: Add 2018-01-11 18:34:39 +00:00
dbus-marshal-recursive.c Don't cast user-supplied pointers to DBusBasicValue * 2018-12-11 12:23:06 +00:00
dbus-marshal-recursive.h Don't cast user-supplied pointers to DBusBasicValue * 2018-12-11 12:23:06 +00:00
dbus-marshal-validate.c validate_body_helper: Bounds-check before validating booleans 2018-08-02 19:20:32 +01:00
dbus-marshal-validate.h dbus-marshal-validate.h: Make self-contained 2018-12-17 14:12:59 +00:00
dbus-memory.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-memory.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-mempool.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-mempool.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-message-internal.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-message-private.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-message-util.c test: Move dbus-message-factory and most of dbus-message-util into test/ 2019-01-21 15:20:39 +00:00
dbus-message.c Don't cast user-supplied pointers to DBusBasicValue * 2018-12-11 12:23:06 +00:00
dbus-message.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-misc.c test: Move _dbus_misc_test() here 2019-01-21 15:22:06 +00:00
dbus-misc.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-nonce.c nonce: Don't try to rmdir(NULL) on OOM 2018-08-02 17:15:29 +01:00
dbus-nonce.h DBusNonceFile: Don't rely on caller preallocating the object 2017-11-07 12:43:52 +00:00
dbus-object-tree.c embedded tests: Conform to the same API for all tests 2018-12-17 14:12:59 +00:00
dbus-object-tree.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pending-call-internal.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pending-call.c DBusPendingCall: Improve doc-comments around completed flag 2018-02-06 18:48:47 +00:00
dbus-pending-call.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pipe-unix.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pipe-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pipe.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pipe.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-pollable-set-epoll.c Rename structure DBusSocketSet to DBusPollableSet and adjust the corresponding functions/files 2019-01-09 15:20:19 +01:00
dbus-pollable-set-poll.c Rename structure DBusSocketSet to DBusPollableSet and adjust the corresponding functions/files 2019-01-09 15:20:19 +01:00
dbus-pollable-set.c Rename structure DBusSocketSet to DBusPollableSet and adjust the corresponding functions/files 2019-01-09 15:20:19 +01:00
dbus-pollable-set.h Rename structure DBusSocketSet to DBusPollableSet and adjust the corresponding functions/files 2019-01-09 15:20:19 +01:00
dbus-protocol.h DBusMessage: Add a header field for the container instance 2018-02-16 15:27:37 +00:00
dbus-resources.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-resources.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-debug-pipe.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-debug-pipe.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-launchd.c _dbus_server_new_for_launchd: Don't leak fd on failure 2017-11-24 12:17:29 +00:00
dbus-server-launchd.h Add launchd implementation. 2010-12-06 21:33:06 +01:00
dbus-server-protected.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-socket.c Add actual used ip family to --print-address output in case of listening on tcp 2018-03-19 22:24:09 +01:00
dbus-server-socket.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-unix.c server-unix: Don't leak address of systemd server on success 2018-08-23 18:23:34 +01:00
dbus-server-unix.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server-win.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-server.c test: Move _dbus_server_test() here 2019-01-21 15:22:07 +00:00
dbus-server.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sha.c Prefer to use _dbus_test_fatal() for assertion failures in tests 2017-11-15 12:12:15 +00:00
dbus-sha.h Bug 21161 - Update the FSF address 2009-07-14 15:39:47 -04:00
dbus-shared.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-shell.c Add and use _dbus_list_clear_full 2018-08-02 15:26:27 +01:00
dbus-shell.h Bug 21161 - Update the FSF address 2009-07-14 15:39:47 -04:00
dbus-signature.c test: Move _dbus_signature_test() here 2019-01-21 15:22:06 +00:00
dbus-signature.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sockets-win.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-spawn-unix.c dbus-spawn: Don't take ownership of envp 2019-01-05 11:41:58 +01:00
dbus-spawn-win.c dbus-spawn-win.c: Simplify logic of return value from call to _dbus_spawn_program() 2019-01-05 11:41:58 +01:00
dbus-spawn.h dbus-spawn: Don't take ownership of envp 2019-01-05 11:41:58 +01:00
dbus-string-private.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-string-util.c test: Move string tests (most of dbus-string-util.c) here 2019-01-21 15:21:43 +00:00
dbus-string.c DBusString: extend with checking for starting with words 2019-04-26 13:29:42 +02:00
dbus-string.h DBusString: extend with checking for starting with words 2019-04-26 13:29:42 +02:00
dbus-syntax.c Doc: fix incorrect param names, missing params, non-exist params 2013-08-22 20:01:08 +01:00
dbus-syntax.h Add dbus-syntax.[ch] 2012-02-24 12:43:55 +00:00
dbus-sysdeps-pthread.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps-thread-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps-unix.c _dbus_parse_uid: Remove unused function 2019-01-23 12:05:54 +00:00
dbus-sysdeps-unix.h _dbus_parse_uid: Remove unused function 2019-01-23 12:05:54 +00:00
dbus-sysdeps-util-unix.c bus: Try to raise soft fd limit to match hard limit 2019-04-18 11:54:48 +01:00
dbus-sysdeps-util-win.c bus: Try to raise soft fd limit to match hard limit 2019-04-18 11:54:48 +01:00
dbus-sysdeps-util.c test: Move sysdeps tests here 2019-01-21 15:22:05 +00:00
dbus-sysdeps-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps-win.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps-wince-glue.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps-wince-glue.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-sysdeps.h bus: Try to raise soft fd limit to match hard limit 2019-04-18 11:54:48 +01:00
dbus-test-tap.c _dbus_test_diag: Flush stdout after each diagnostic 2017-11-15 13:18:22 +00:00
dbus-test-tap.h test-dbus: Produce machine-readable TAP output 2017-11-15 12:12:40 +00:00
dbus-test.h test: Move _dbus_list_test() here 2019-01-21 15:22:07 +00:00
dbus-threads-internal.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-threads.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-threads.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-timeout.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-timeout.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-protected.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-socket.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-socket.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-unix.c test: Move _dbus_transport_unix_test() here 2019-01-21 15:22:07 +00:00
dbus-transport-unix.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-win.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport-win.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-transport.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-types.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-userdb-util.c _dbus_user_database_get_groupname: Inline into its only caller 2019-01-23 12:09:27 +00:00
dbus-userdb.c dbus-userdb: Remove unused _dbus_homedir_from_username() 2019-01-23 11:57:42 +00:00
dbus-userdb.h _dbus_user_database_get_groupname: Inline into its only caller 2019-01-23 12:09:27 +00:00
dbus-uuidgen.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-uuidgen.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-valgrind-internal.h Fix building with newer Valgrind 2012-11-09 14:04:27 +00:00
dbus-watch.c trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus-watch.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
dbus.h trivial: Remove trailing whitespace from copyright notices 2018-12-17 11:22:39 +00:00
Makefile.am Configure option to disable traditional activation 2019-03-25 21:51:33 +02:00
Version.in Link dbus-daemon and dbus-daemon-lauch-helper against libdbus 2015-02-20 20:49:45 +00:00
versioninfo.rc.in Add version info to installed executables for cmake build system on Windows 2018-03-12 19:47:28 +01:00