mirror of
https://gitlab.freedesktop.org/dbus/dbus.git
synced 2026-01-04 06:10:16 +01:00
6a3f563a4b
UpdateActivationEnvironment is the one dbus-daemon API call that is
obviously dangerous (it is intended for the session bus),
so the default system.conf does not allow anyone to call it.
It has recently come to the D-Bus maintainers' attention that some
system services incorrectly install D-Bus policy rules that allow
arbitrary method calls to any destination as long as they have a
"safe" object path. This is not actually safe: some system services
that use low-level D-Bus bindings like libdbus, including dbus-daemon
itself, provide the same API on all object paths.
Unauthorized calls to UpdateActivationEnvironment are probably just
resource consumption rather than privilege escalation, because on
the system bus, the modified environment is only used to execute
a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid
handling, and sanitizes its own environment before executing
the real service. However, it's safest to assume the worst and
treat it as a potential privilege escalation.
Accordingly, as a hardening measure to avoid privilege escalation on
systems with these faulty services, stop allowing calls to
("/com/example/Whatever",
"org.freedesktop.DBus.UpdateActivationEnvironment")
and only allow ("/org/freedesktop/DBus",
"org.freedesktop.DBus.UpdateActivationEnvironment").
We deliberately continue to provide read-only APIs like
GetConnectionUnixUser at all object paths, for backwards compatibility.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[adjusted commit message to note that this is probably only DoS -smcv]
52 lines
2.4 KiB
C
52 lines
2.4 KiB
C
/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
|
|
/* driver.h Bus client (driver)
|
|
*
|
|
* Copyright (C) 2003 CodeFactory AB
|
|
*
|
|
* Licensed under the Academic Free License version 2.1
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*
|
|
*/
|
|
|
|
#ifndef BUS_DRIVER_H
|
|
#define BUS_DRIVER_H
|
|
|
|
#include <dbus/dbus.h>
|
|
#include "connection.h"
|
|
|
|
void bus_driver_remove_connection (DBusConnection *connection);
|
|
dbus_bool_t bus_driver_handle_message (DBusConnection *connection,
|
|
BusTransaction *transaction,
|
|
DBusMessage *message,
|
|
DBusError *error);
|
|
dbus_bool_t bus_driver_send_service_lost (DBusConnection *connection,
|
|
const char *service_name,
|
|
BusTransaction *transaction,
|
|
DBusError *error);
|
|
dbus_bool_t bus_driver_send_service_acquired (DBusConnection *connection,
|
|
const char *service_name,
|
|
BusTransaction *transaction,
|
|
DBusError *error);
|
|
dbus_bool_t bus_driver_send_service_owner_changed (const char *service_name,
|
|
const char *old_owner,
|
|
const char *new_owner,
|
|
BusTransaction *transaction,
|
|
DBusError *error);
|
|
dbus_bool_t bus_driver_generate_introspect_string (DBusString *xml);
|
|
dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
|
|
DBusError *error);
|
|
|
|
#endif /* BUS_DRIVER_H */
|