Default D-Bus system bus policy is allow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
D-Bus |
Fix Released
|
Medium
|
|||
dbus (Debian) |
Fix Released
|
Unknown
|
|||
dbus (Fedora) |
Fix Released
|
Medium
|
|||
dbus (Ubuntu) |
Fix Released
|
Critical
|
Scott James Remnant (Canonical) |
Bug Description
A new security release of DBus is now available:
http://
This release contains a (partial, see below) fix for:
https:/
== Summary ==
Joachim Breitner discovered a mistake in the default configuration for the
system bus (system.conf) which made the default policy for both sent and
received messages effectively *allow*, and not deny as intended.
This release fixes the send side permission, but does not change the receive.
See below for more details.
== Available workarounds ==
Add explicit <deny> rules to existing policy files which do not
already have them.
== Mitigating factors ==
There are three important mitigating factors.
* First, in an examination of a Fedora 10 system, many services contained
explicit <deny> rules under the "default" context. These deny rules did (and
continue to) operate as expected.
* Second, an increasing trend has been for core system services to use
PolicyKit, or otherwise do security checks on the service side. Any system
which relies on PolicyKit is unaffected by this flaw.
* Third, the SELinux DBus support is not affected by this flaw.
Now, as mentioned above this fix is partial. DBus has two kinds of policy
permissions, send and receive. Generally speaking, the send side permission is
much more important. However, DBus has supported receive side permissions for
a few reasons, among those are:
* Ensuring signals containing sensitive data aren't visible by unexpected
processes. Suggested fix: Do not put sensitive data in DBus signals; use
targeted method calls.
* A way for processes to "second-pass" filter messages before they reach their
C code. Suggested fix: Something like PolicyKit (or just manual service-side
permission checks) remain a better way to do this.
For compatibility reasons, this release only fixes the send-side permission
check, and not receive. A greater number of services will need to be updated
for a future tightening of the receive permission.
We are as yet unsure when (and in fact, if) the receive permission will be
tightened in the DBus 1.2 stable branch. We will gather information about any
affected programs and make a final determination at in the near future.
== Conclusion Summary ==
* Add explicit <deny> rules under the default policy if this is applicable to
your service (i.e. not using PolicyKit or similar)
* Do not put sensitive information in signals
== Thanks ==
Thanks to Joachim Breitner for the initial report and proposed patch, Tomas
Hoger for the current fix, and others for their assistance with this issue.
_______
dbus mailing list
<email address hidden>
http://
Related branches
CVE References
In freedesktop.org Bugzilla #18229, Joachim Breitner (nomeata) wrote : | #1 |
In freedesktop.org Bugzilla #18229, Hp-pobox (hp-pobox) wrote : | #2 |
Good catch. I've marked the bug security group only in case people want to do a coordinated update under embargo.
I think the patch is not quite right because <allow> and <deny> should be treated differently.
The requested_reply arg to check_can_send already incorporates whether the message is a reply. So I think perhaps simply removing the "if (dbus_message_
if (!requested_reply && rule->allow && rule->d.
{
if (dbus_message_
{
/* it's a reply, but was not requested; if eavesdrop is true, allow anyway */
}
else
{
/* skip rule, do not allow */
continue;
}
}
I am not 100% sure though. Clearly more test cases are needed, ideally unit tests for the full matrix of (reply vs. not reply) * (requested vs. not requested) * (allow vs. deny) etc., basically try to cover all the code paths.
In freedesktop.org Bugzilla #18229, Joachim Breitner (nomeata) wrote : | #3 |
Hi,
I didn’t expect you would want to embargo this, and submitted it to the public Debian bug tracker as well:
http://
Sorry if that is causing trouble.
Greetings,
Joachim
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #4 |
Havoc, do you have any specific <deny> rule example in mind, that would be evaluated incorrectly by dbus if Joachim's patch is applied?
Additionally, is this actually a problem with dbus itself, or rather issue of default policy in system.conf? Reading the dbus-daemon manpage [1], it contains following:
[1] http://
The [send|receive]
eavesdrop attribute. It controls whether the <deny> or <allow> matches
a reply that is expected (corresponds to a previous method call message).
**This attribute only makes sense for reply messages (errors and method
returns), and is ignored for other message types.**
If I read it correctly, it basically says: if message type is not error or method return, attribute (not the whole rule) is ignored. So according to that sematics definition, for method call message the rule:
<allow send_requested_
should be identical to:
<allow/>
So the code seems to do exactly what is specified.
Isn't it the default configuration to be blamed for this problem? It says:
<allow send_requested_
and expects this rule only to be applied to reply messages. This probably needs to be changed to:
<allow send_requested_
<allow send_requested_
I do understand that Joachim's patch changes semantics for non-reply messages from "attribute is ignored" to "whole rule is ignored".
Additionally, your suggestion does not seem to do the right thing either. Consider call message and rule:
<allow send_destinatio
If I'm reading the man page correctly, send_requested_
if (!requested_reply && rule->allow && rule->d.
should be true, and
if (dbus_message_
should be false and the rule is skipped.
I'm likely to miss something important, so feel free to correct me in whatever I got wrong. Thanks!
In freedesktop.org Bugzilla #18229, Hp-pobox (hp-pobox) wrote : | #5 |
Tomas, I think your analysis is correct. So maybe just change the config file.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #6 |
Havoc, thanks for reviewing my comment!
In comment #2 you stated you may want some coordinated release for this fix along with vendors. Do you have any specific proposed date? The issue is technically public already via Debian bug report (they can't make it private). We do have a pending update to do for bug #17803, so it would be a good opportunity to fix both issues at the same time. Thanks!
In freedesktop.org Bugzilla #18229, Hp-pobox (hp-pobox) wrote : | #7 |
If there's coordination, I wouldn't be the person doing it ;-)
(I'd ask johnp or walters or jbressers at Red Hat)
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #8 |
(In reply to comment #7)
> If there's coordination, I wouldn't be the person doing it ;-)
> (I'd ask johnp or walters or jbressers at Red Hat)
Ok, so I will take care of it. Is there any date until which you as an upstream would like to keep this private?
In freedesktop.org Bugzilla #18229, Hp-pobox (hp-pobox) wrote : | #9 |
No preferred date from me (apparently it isn't truly private anyway)
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #10 |
CVE-2008-4311 will be used to identify this flaw.
In freedesktop.org Bugzilla #18229, Zeuthen (zeuthen) wrote : | #11 |
Created an attachment (id=20193)
proposed fix
Here's a patch for fixing this via modifying the configuration file. Does this fix the issue? Thanks.
In freedesktop.org Bugzilla #18229, Hp-pobox (hp-pobox) wrote : | #12 |
Patch looks good
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #13 |
(In reply to comment #11)
> Here's a patch for fixing this via modifying the configuration file. Does this
> fix the issue? Thanks.
This is wrong, your need to use receive_type for rules with receive_
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #14 |
Looks like console-kit-daemon is one to blame, it spew some error messages, one obviously dbus-related:
ConsoleKit open: Unable to open session: A security policy in place prevents this recipient from receiving this message from this sender, see message bus configuration file (rejected message had interface "org.freedeskto
and segfaults.
In freedesktop.org Bugzilla #18229, Zeuthen (zeuthen) wrote : | #15 |
Added the ConsoleKit author to the Cc as per comment 14.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #16 |
ConsoleKit will likely need something like this at minimum:
@@ -7,6 +7,11 @@
<policy user="root">
<allow own="org.
+ <!-- Allow receiving of messages to ConsoleKit interfaces -->
+ <allow receive_
+ <allow receive_
+ <allow receive_
+
<!-- Allow all methods on interfaces -->
<allow send_interface=
<allow send_interface=
But this problem is likely to bite almost any service using system service bus. Looking at the existing configs, even those apps that punch proper holes on the sender side fails to punch holes on receiver side. What is the main reasoning for having to approve each message twice?
So if we want to tighten rule with receive_
Alternatively, we can do a first half-step towards the full fix and leave that rule as unchanged for now and only turn to stricter rules on sender side (i.e. send_requested_
Ideas?
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #17 |
Another question is how to deal with messages to some interfaces (such as org.freedesktop
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #18 |
Does anyone have any other ideas wrt handling of receive rules?
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #19 |
Created an attachment (id=20397)
Possible system.conf change
What about this change for system.conf? It restricts send_requested_
This should resolve the problem without need for immediate fix of all applications using system bus. Creating allow receive_interface= rules for all interfaces implemented by any application using the bus would result in a similarly secure policy as one with current receive_
In freedesktop.org Bugzilla #18229, Zeuthen (zeuthen) wrote : | #20 |
(In reply to comment #19)
> Created an attachment (id=20397) [details]
> Possible system.conf change
>
> What about this change for system.conf? It restricts send_requested_
> rule, so it should deal with all unintended method calls. It also tries to set
> correct expectations wrt future of the receive_
>
> This should resolve the problem without need for immediate fix of all
> applications using system bus. Creating allow receive_interface= rules for all
> interfaces implemented by any application using the bus would result in a
> similarly secure policy as one with current receive_
> being able to check destination in receive rules still seems quite limiting to
> me.
>
Colin, Havoc: Are you guys fine with committing Tomas' patch upstream? If not, what kind of work is needed to get this issue resolved in upstream D-Bus?
(I'm asking because I'm wary of putting out an D-Bus errata for Fedora/RHEL without a clear indication that the fix is blessed upstream.)
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #21 |
(In reply to comment #20)
> Colin, Havoc: Are you guys fine with committing Tomas' patch upstream? If not,
> what kind of work is needed to get this issue resolved in upstream D-Bus?
hp said in comment #5 that the config change is probably right; I haven't had a chance to study this in detail but from reading this report through again it makes sense to me as well.
We should get this fix in.
Tomas - the reason I believe that there's no interface based check is that it's legal for messages to be sent to any interface.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #22 |
I vaguely recall a discussion about this that I think ended up at the conclusion that the unit of security granularity should be the service; i.e. not interfaces or methods.
In other words the config file for 3rd party services should just be:
<user="root">
<allow service=
</user>
This would fit in with the trend of using PolicyKit for more fine grained authorization too.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #23 |
(In reply to comment #21)
> Tomas - the reason I believe that there's no interface based check is that
> it's legal for messages to be sent to any interface.
Sorry, I don't understand this. Proposed patch fixes default rule that is supposed to allow all requested replies. Why should it be bound to any specific interface?
(In reply to comment #22)
> I vaguely recall a discussion about this that I think ended up at the
> conclusion that the unit of security granularity should be the service; i.e.
> not interfaces or methods.
Doesn't this make my note (end of comment #19) about not being able to use destination in receive rules even more valid? Removing possibility to use interface and method attributes will only leave sender, message type and error name checks for use in the receive rules (I believe path falls to the same category as interfaces and methods). So receive rules will have to be wide open to actually work (as they are now).
> In other words the config file for 3rd party services should just be:
>
> <user="root">
> <allow service=
> </user>
Is this supposed to be send or receive rule? Or some new policy concept, that does not distinguish the two any more?
Anyway, if this is expected to be full config for some 3rd party service, dbus will have to get the default configuration right, so that requests from non-root users are denied.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #24 |
Should we try to embargo this through vendor-sec, or just go ahead and commit the patch to git under the assumption that since it's already in the Debian BTS it's public?
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #25 |
(In reply to comment #23)
> (In reply to comment #21)
> > Tomas - the reason I believe that there's no interface based check is that
> > it's legal for messages to be sent to any interface.
>
> Sorry, I don't understand this. Proposed patch fixes default rule that is
> supposed to allow all requested replies. Why should it be bound to any
> specific interface?
I wasn't suggesting the system.conf change should be bound to a specific interface, just that we shouldn't rely on the destination interface in general (there is a note about this in the policy docs).
> (In reply to comment #22)
> Doesn't this make my note (end of comment #19) about not being able to use
> destination in receive rules even more valid? Removing possibility to use
> interface and method attributes will only leave sender, message type and error
> name checks for use in the receive rules (I believe path falls to the same
> category as interfaces and methods). So receive rules will have to be wide
> open to actually work (as they are now).
Right...hm. How useful are the receive rules in general? I guess you'd need them if you wanted to keep a signal private between services.
> > In other words the config file for 3rd party services should just be:
> >
> > <user="root">
> > <allow service=
> > </user>
>
> Is this supposed to be send or receive rule? Or some new policy concept, that
> does not distinguish the two any more?
>
> Anyway, if this is expected to be full config for some 3rd party service, dbus
> will have to get the default configuration right, so that requests from
> non-root users are denied.
I was thinking this policy would allow root to own the service name, and any uid to send&receive messages from it, under the assumption that the service is using PolicyKit for fine grained permissions, or that it makes sense for any uid to be able to access it.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #26 |
(In reply to comment #24)
> Should we try to embargo this through vendor-sec, or just go ahead and commit
> the patch to git under the assumption that since it's already in the Debian BTS
> it's public?
v-s is already aware of this issue, we already passed the previously proposed embargo date and there was not request for extension. Given the Debian bug, I don't think there's any need for further embargo.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #27 |
(In reply to comment #25)
> > Sorry, I don't understand this. Proposed patch fixes default rule that is
> > supposed to allow all requested replies. Why should it be bound to any
> > specific interface?
>
> I wasn't suggesting the system.conf change should be bound to a specific
> interface, just that we shouldn't rely on the destination interface in general
> (there is a note about this in the policy docs).
Do you refer to this: "Be careful with send_interface/
> Right...hm. How useful are the receive rules in general? I guess you'd need
> them if you wanted to keep a signal private between services.
I guess send/receive rules split was made as a design decision for signal handling. For method_calls and method_returns, using single rule making point to point check would be more natural. Having to deal with both type of rules for these types of messages is bit clumsy.
> I was thinking this policy would allow root to own the service name, and any
> uid to send&receive messages from it, under the assumption that the service is
> using PolicyKit for fine grained permissions, or that it makes sense for any
> uid to be able to access it.
Ah, ok. Though this does not sound like a change that can easily fit as a fix into existing systems (some of them even pre-dating PolicyKit).
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #28 |
Writing a test case for this now. Will work on an upstream release today after that.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #29 |
(In reply to comment #28)
> Writing a test case for this now.
Have you checked the one in our BZ?
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #30 |
Created an attachment (id=20817)
test case
This patch adds a test case, but doesn't modify the system policy yet. I chose to use Tomas' suggested policy for the test case policy, and I get the expected denial.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #31 |
Ok, now I've double checked with this patch that the rules:
<allow send_requested_
<allow send_requested_
<allow receive_
Allow the message through (incorrectly), whereas:
<allow send_requested_
<allow send_requested_
<allow receive_
Disallow the message.
A quick once over of this patch would be appreciated; once that's done I'll merge it and then change the system.conf.in to match it per Tomas' patch.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #32 |
(In reply to comment #31)
> A quick once over of this patch would be appreciated; once that's done I'll
> merge it and then change the system.conf.in to match it per Tomas' patch.
Is there any other patch to look at besides the one in comment #30? Test test config has differences to my proposed patch, so some thoughts on them:
- It also restricts receive_
- I guess there should be some note used there, so that the config is at honest at what it claims, and make users aware it may get better fix in the future. Feel free to re-word my note as needed.
Thank you!
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #33 |
Proposed text of mail announcement:
Subject: [CVE-2008-4311] DBus 1.2.6
A new security release of DBus is now available:
http://
This release contains a (partial, see below) fix for: https:/
== Summary ==
Because of a mistake in the default configuration for the system bus (system.conf), the default policy for both sent and received messages was effectively *allow*, and not deny as stated.
This release fixes the send side permission, but does not change the receive. See below for more details.
== Available workarounds ==
It is possible to add explicit <deny> rules to existing policy files, and in fact many have these already.
== Mitigating factors ==
There are three important mitigating factors.
* First, in an examination of a Fedora 10 system, many services (though not all, see below) contained explicit <deny> rules. These deny rules did (and continue to) operate as expected.
* Second, an increasing trend has been for core system services to use PolicyKit, or otherwise do security checks on the service side. Any system which relies on PolicyKit is unaffected by this flaw.
* Third, the SELinux DBus support is not affected by this flaw.
Now, as mentioned above this fix is partial. DBus has two kinds of policy permissions, send and receive. Generally speaking, the send side permission is much more important. However, DBus has supported receive side permissions for a few reasons, among those are:
* Ensuring signals containing sensitive data aren't visible by unexpected processes
* A way for processes to "second-pass" filter messages before they reach their C code; however, what one can do in the policy language is relatively limited, and something like PolicyKit (or just manual service-side permission checks) remain a better way to do this.
For compatibility reasons, this release only fixes the send-side permission check, and not receive. A greater number of services will need to be updated for a future tightening of the receive permission.
We are as yet unsure when (and in fact, if) the receive permission will be tightened in the DBus 1.2 stable branch. We will gather information about any affected programs and make a final determination at in the near future.
For now, it is suggested to use explicit <deny> rules for receive side.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #34 |
Further note will send after:
== Affected Services ==
An examination of a Fedora 10 desktop installation discovered only one affected program, the APT backend for PackageKit.
A fix is available here:
[link here]
Does anyone know of any other affected programs?
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #35 |
A few updates; credits, stronger suggestion to always use <deny>.
Subject: [CVE-2008-4311] DBus 1.2.6
A new security release of DBus is now available:
http://
This release contains a (partial, see below) fix for:
https:/
== Summary ==
Joachim Breitner discovered a mistake in the default configuration for the system bus (system.conf) which made the default policy for both sent and received messages was effectively *allow*, and not deny as stated.
This release fixes the send side permission, but does not change the receive.
See below for more details.
== Available workarounds ==
It is possible to add explicit <deny> rules to existing policy files, and in
fact many have these already.
== Mitigating factors ==
There are three important mitigating factors.
* First, in an examination of a Fedora 10 system, many services contained explicit <deny> rules. These deny rules did (and
continue to) operate as expected.
* Second, an increasing trend has been for core system services to use
PolicyKit, or otherwise do security checks on the service side. Any system
which relies on PolicyKit is unaffected by this flaw.
* Third, the SELinux DBus support is not affected by this flaw.
Now, as mentioned above this fix is partial. DBus has two kinds of policy
permissions, send and receive. Generally speaking, the send side permission is
much more important. However, DBus has supported receive side permissions for
a few reasons, among those are:
* Ensuring signals containing sensitive data aren't visible by unexpected
processes. Suggested fix: Do not put sensitive data in DBus signals; use targeted method calls.
* A way for processes to "second-pass" filter messages before they reach their
C code. Suggested fix: Something like PolicyKit (or just manual service-side permission checks) remain a better way to do this.
For compatibility reasons, this release only fixes the send-side permission
check, and not receive. A greater number of services will need to be updated
for a future tightening of the receive permission.
We are as yet unsure when (and in fact, if) the receive permission will be
tightened in the DBus 1.2 stable branch. We will gather information about any
affected programs and make a final determination at in the near future.
== Conclusion Summary ==
* Add explicit <deny> rules under the default policy if this is applicable to your service (i.e. not using PolicyKit or similar)
* Do not put sensitive information in signals
== Thanks ==
Thanks to Joachim Breitner for the initial report and proposed patch, Tomas Hoger for the current fix, and others for their assistance with this issue.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #36 |
(In reply to comment #34)
> Does anyone know of any other affected programs?
bluetooth.conf in bluez-utils only permit some messages from at_console users, with no restriction for context=default, so looks affected.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #37 |
(In reply to comment #36)
> (In reply to comment #34)
> > Does anyone know of any other affected programs?
>
> bluetooth.conf in bluez-utils only permit some messages from at_console users,
> with no restriction for context=default, so looks affected.
Ok, I'll try to touch base with them now and see if they can get an update ready.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #38 |
(In reply to comment #37)
> > bluetooth.conf in bluez-utils only permit some messages from at_console
> > users, with no restriction for context=default, so looks affected.
>
> Ok, I'll try to touch base with them now and see if they can get an update
> ready.
Update bluez? Why? Once dbus default policy is right, there will be no need for explicit denies in bluez. Or have I managed to misunderstand what you referred to as affected programs?
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #39 |
Release done, lifting security tag. I'll keep this bug open as a data gathering point for what to do about the receive aspect.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #40 |
(In reply to comment #38)
> (In reply to comment #37)
> > > bluetooth.conf in bluez-utils only permit some messages from at_console
> > > users, with no restriction for context=default, so looks affected.
> >
> > Ok, I'll try to touch base with them now and see if they can get an update
> > ready.
>
> Update bluez? Why? Once dbus default policy is right, there will be no need
> for explicit denies in bluez.
Right, it's not strictly speaking necessary, it just seems prudent to add the <deny> rules.
Even besides that it seems important to touch base with those projects without the <deny>, simply because they were affected and should be aware of the impact.
In Red Hat Bugzilla #474895, Colin (colin-redhat-bugs) wrote : | #72 |
In Red Hat Bugzilla #474895, Fedora (fedora-redhat-bugs) wrote : | #73 |
dbus-1.2.6-1.fc10 has been submitted as an update for Fedora 10.
http://
In Red Hat Bugzilla #474895, Fedora (fedora-redhat-bugs) wrote : | #75 |
dbus-1.2.6-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
In Red Hat Bugzilla #474895, Fedora (fedora-redhat-bugs) wrote : | #76 |
dbus-1.2.6-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #41 |
Note - PackageKit broke with this change:
In freedesktop.org Bugzilla #18229, Sjoerd Simons (sjoerd) wrote : | #42 |
avahi-daemon also breaks. It has several dbus interface from which it sends signals which are denied with this fix. Most of those interface also have methods but those should work correctly as it has <allow send_destinatio
I'll try to investigate the minimal fix tomorrow (if time allows, feel free to beat me to it).
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #43 |
PolicyKit policy bug:
https:/
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #44 |
(In reply to comment #42)
> avahi-daemon also breaks. It has several dbus interface from which it sends
> signals which are denied with this fix.
What is the interface used in the signals? org.freedesktop
<allow send_interface=
to the <policy group="avahi"> section should be the easiest fix (well, it may be better to bound it to the owner of the org.freedesktop
<allow receive_
As for the fix proposed here:
http://
<allow send_requested_
This rule will only be considered for messages of type signal. send_requested_
Not quite sure what to look for in the avahi-discover output...
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #45 |
Created an attachment (id=20899)
Allow-DBus.
This patch allows Introspection and Peer methods by default.
In freedesktop.org Bugzilla #18229, Zeuthen (zeuthen) wrote : | #46 |
(In reply to comment #45)
> Created an attachment (id=20899) [details]
> Allow-DBus.
>
> This patch allows Introspection and Peer methods by default.
>
Hmm. I honestly think this is confusing. If we require that system services need to punch holes *anyway*, why not let them punch holes for Peer and Introspectable too?
I think doing this automatically will just make it even harder to grasp how to use <allow> and <deny> correctly; it's already way too overcomplicated and we've seen both the implementation and users get it wrong.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #47 |
(In reply to comment #46)
> (In reply to comment #45)
> > Created an attachment (id=20899) [details] [details]
> > Allow-DBus.
> >
> > This patch allows Introspection and Peer methods by default.
> >
>
> Hmm. I honestly think this is confusing. If we require that system services
> need to punch holes *anyway*, why not let them punch holes for Peer and
> Introspectable too?
>
> I think doing this automatically will just make it even harder to grasp how to
> use <allow> and <deny> correctly; it's already way too overcomplicated and
> we've seen both the implementation and users get it wrong.
I think the bottom line is to use send_destination liberally. I'll post about this on the list.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #48 |
There is one major issue left to address: signals. Basically, we should add a global
<allow send_type=
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #49 |
Created an attachment (id=20924)
cleanup of system.d
Here is a first pass through the system.d directory. The major themes are:
* Changing things to use send_destination. This fixes the introspection handling.
* Removing rules of the form <deny send_interface=
* Adding missing <context=
In Red Hat Bugzilla #474895, Feng (feng-redhat-bugs) wrote : | #77 |
This version of dbus messes up everything:
gpk stops working,
system-
system-
and more.
Seems like some default policy were changed, and the corresponding system components were not tweaked.
Refer to this link:
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #50 |
Created an attachment (id=20928)
allow signals by default
In order to move forward with the system.d cleanup, I propose we allow all signals by default. There is not great value in restricting the namespaces of sent signals.
Scott James Remnant (Canonical) (canonical-scott) wrote : | #51 |
Binary package hint: dbus
From <email address hidden> Fri Dec 5 19:55:35 2008
Return-path: <email address hidden>
Envelope-to: <email address hidden>
Delivery-date: Fri, 05 Dec 2008 19:55:35 +0000
Received: from fiordland.
zelda.netsplit.com with esmtp (Exim 4.69) (envelope-from
<email address hidden>) id 1L8glz-0008Lu-Jr for
<email address hidden>; Fri, 05 Dec 2008 19:55:35 +0000
Received: from cluster-
[85.115.58.190]) by fiordland.
A2228B68256; Fri, 5 Dec 2008 19:55:12 +0000 (GMT)
Received: from arctowski.
[91.189.94.158]) by rly14e.
mB5JtBXk031219; Fri, 5 Dec 2008 19:55:11 GMT
Received: from fiordland.
arctowski.
<email address hidden>) id 1L8glb-0005dd-Id; Fri, 05 Dec 2008
19:55:11 +0000
Received: from gabe.freedeskto
[131.252.210.177]) by fiordland.
C49C8B68256; Fri, 5 Dec 2008 19:55:10 +0000 (GMT)
Received: from gabe.freedeskto
gabe.freedeskt
11:55:08 -0800 (PST)
X-Original-To: <email address hidden>
Delivered-To: <email address hidden>
Received: from an-out-
[209.85.132.249]) by gabe.freedeskto
D3FBB9E741 for <email address hidden>; Fri, 5 Dec 2008 11:55:05
-0800 (PST)
Received: by an-out-
<email address hidden>; Fri, 05 Dec 2008 11:55:05 -0800 (PST)
Received: by 10.100.242.20 with SMTP id p20mr252471anh.
Fri, 05 Dec 2008 11:55:04 -0800 (PST)
Received: by 10.100.127.20 with HTTP; Fri, 5 Dec 2008 11:55:04 -0800 (PST)
Message-ID: <email address hidden>
Date: Fri, 5 Dec 2008 14:55:04 -0500
From: "Colin Walters" <email address hidden>
To: dbus <email address hidden>
Subject: [CVE-2008-4311] DBus 1.2.6
MIME-Version: 1.0
Content-
X-Google-
X-BeenThere: <email address hidden>
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dbus.lists.
List-Unsubscribe: <http://
<mailto:<email address hidden>
List-Archive: <http://
List-Post: <mailto:<email address hidden>>
List-Help: <mailto:<email address hidden>
List-Subscribe: <http://
<mailto:<email address hidden>
Content-Type: text/plain; charset="us-ascii"
Content-
Sender: <email address hidden>
Errors-To: <email address hidden>
X-Mailcontrol-
uq3drnD2P+
X-Spam-Score: -3.5
X-Scan...
description: | updated |
Changed in dbus: | |
importance: | Undecided → Critical |
status: | New → In Progress |
Scott James Remnant (Canonical) (canonical-scott) wrote : | #52 |
This change is known to break many of the existing D-Bus services, most notably Avahi, PolicyKit and PackageKit. It's also believed to break signals.
While upstream figure out what to do about that, we've looked into the actual effect of the problem.
The most concerning system bus service would be system-
Other pieces already use PolicyKit.
Thus we're happy that there's no significant exploit here, and that there is too great a risk for breaking existing services with the current patch. We'll make an upload as soon as the situation is clear.
Changed in dbus: | |
status: | Unknown → In Progress |
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #53 |
Created an attachment (id=20942)
Improvement for dbus-daemon manpage wrt policy rule application ordering
Colin, can you please consider this minor dbus-daemon man page improvement for next update? It adds mention of at_console <policy> attribute.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #54 |
(In reply to comment #50)
> In order to move forward with the system.d cleanup, I propose we allow all
> signals by default. There is not great value in restricting the namespaces of
> sent signals.
Should receiving of all signals be allowed by default as well? Are there any known use-cases of private signals?
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #55 |
(In reply to comment #49)
> Here is a first pass through the system.d directory.
Some thoughts...
--- system.
There are few receive_sender rules there as well that should only be needed for signals, so their fate actually depends on what the default for signals will be.
--- system.
Did you leave user="root" rules unchanged intentionally? They look like a good candidate for allow send_destination. Why not remove all those context="default" deny rules and only keep explicit allows.
The similar comments apply to gdm.conf.
--- system.
Rule <allow send_interface=
--- system.
- <allow send_interface=
Again, may be needed for signals.
--- system.
I'd prefer to see allow send_destination rule removed from user="root" section. All context="default" rules apply to root as well, so having the rule only there should be sufficient.
--- system.
This seems incorrect to me. Probably something like this is needed:
@@ -8,12 +8,12 @@
<!-- Only root can own the service -->
<policy user="root">
<allow own="org.
- <allow send_interface=
</policy>
<!-- Allow anyone to invoke methods on the interfaces -->
<policy context="default">
- <allow send_interface=
+ <allow send_destinatio
+ send_interface=
</policy>
</busconfig>
Not sure if binding to a particular interface is really needed.
--- system.
Allow rules in user="root" section can be omitted when service should be accessible to all users and there's context="default" allow rule.
--- system.
It may requires some of the removed rules, or allow receive_sender rule for signal handling.
Similar probably applies to yum-updatesd.conf as well.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #56 |
(In reply to comment #52)
> (In reply to comment #50)
> > In order to move forward with the system.d cleanup, I propose we allow all
> > signals by default. There is not great value in restricting the namespaces of
> > sent signals.
>
> Should receiving of all signals be allowed by default as well? Are there any
> known use-cases of private signals?
>
I believe receiving signals will be covered by the receive_
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #57 |
(In reply to comment #51)
> Created an attachment (id=20942) [details]
> Improvement for dbus-daemon manpage wrt policy rule application ordering
>
> Colin, can you please consider this minor dbus-daemon man page improvement for
> next update? It adds mention of at_console <policy> attribute.
Will do, I also have an update to the man page lying around.
In freedesktop.org Bugzilla #18229, Thoger-redhat (thoger-redhat) wrote : | #58 |
(In reply to comment #54)
> > Should receiving of all signals be allowed by default as well? Are there any
> > known use-cases of private signals?
>
> I believe receiving signals will be covered by the receive_
> opening all receive side.
Oh, well, that's correct. Looks like I was thinking too long-term, assuming complete fix.
In freedesktop.org Bugzilla #18229, Colin Walters (walters) wrote : | #59 |
Thanks for the review of the system.d changes. Let's actually break this list up into 3 separate parts:
1) Services broken by the new security policy (e.g. the original PolicyKit.conf could never have worked in a default-deny world)
2) Services which use <deny send_interface/> without also specifying send_destination. These break no-interface requests from scripting languages.
3) Cleanup
Suggest we focus on these in order. I've created tracking bugs:
Broken: https:/
Deny send_interface: https:/
Cleanup: (We'll do this later)
In freedesktop.org Bugzilla #18229, Dan Ziemba (zman0900) wrote : | #60 |
(In reply to comment #34)
>
> Does anyone know of any other affected programs?
>
I am a Fedora 10 user, and I have been following this bug. My system is running the updated dbus, and I have noticed two other affected applications: system-
In freedesktop.org Bugzilla #18229, Dan Ziemba (zman0900) wrote : | #61 |
(In reply to comment #58)
> (In reply to comment #34)
> >
> > Does anyone know of any other affected programs?
> >
>
> I am a Fedora 10 user, and I have been following this bug. My system is
> running the updated dbus, and I have noticed two other affected applications:
> system-
> s-c-services has already been addressed in the system.d patch, but I think
> there is something wrong in the org.fedoraproje
> s-c-samba. The file is identical to the org.fedoraproje
> file except for the word Services, so I assume the same fix could be used on
> it?
>
Nevermind, I see that new versions of each have been build on Koji. I have tested them both and the seem to work.
Scott James Remnant (Canonical) (canonical-scott) wrote : | #62 |
A new release of DBus is now available:
http://
SHA1: f6a5215b1eb6fee
This release is a continuation of work on:
https:/
== Overview ==
I think we're finally arriving at general consensus for where the line
for bugs in the core is versus in external programs for this issue.
DBus 1.2.8 has one behavioral change, which is to allow all signals by
default on the system bus. There is also a documentation update for
the system bus:
"Currently, the system bus has a default-deny policy for sending method calls
and owning bus names. Everything else, in particular reply messages, receive
checks, and signals has a default allow policy."
There are two major things to be aware of, in order of importance:
== Services ==
Now, corresponding with this issue, some services must be updated. A
tracking bug has been created:
https:/
The above bug is for services which fail with the policy for DBus
1.2.8 (i.e. not 1.2.6).
== <deny send_interface=""/>
Besides services which must be updated to work, there are also
services whose config breaks *other* services or introduces erroneous
permissions. This kind of flaw is really the fault of the policy
language - it's incredibly easy to introduce these kinds of flaws. In
general, every rule in a system.d/foo.conf should include
"send_destination". If it doesn't, it's almost certainly a bug.
The most insidious is this one:
<policy context="default">
<deny send_interface=
</policy>
Effectively, this will deny all messages sent with no interface - even
those *not sent to your service* - as occurs when using e.g. Python
and not using the dbus.Interface cast. The correct rule looks like
this:
<policy context="default">
<deny send_destinatio
</policy>
Bottom line - use send_destination in *every* rule unless you know
explicitly what you're doing, and avoid putting two services in the
same process (if you do, use PolicyKit).
Scott James Remnant (Canonical) (canonical-scott) wrote : | #63 |
Here's the technical summary:
The D-Bus protocol is made up of messages, the basic types of which are "method call", "reply", "error" and "signal".
Messages are policy-checked by the bus daemon. To be allowed, the message must past both the "send" rules (for the client) and the "receive" rules (for the service).
A method call is thus two messages: the "method call" sent from the client to the service, and a "reply" or "error" sent back from the service to the client. The client must have permission to send the "method call", and receive both "reply" and "error". The service must have permission to receive the "method call", and send both "reply" and "error".
A signal is a signal message: the "signal" is sent from a service to clients. The service must have permission to send the "signal". The clients must have permission to receive the "signal".
--
Policy is specified by a series of <allow> and <deny> rules for particular policy contexts (default, by user, etc.), and is in the /etc/dbus-
The daemon simply concatenates the rules, it doesn't distinguish that a certain file comes from a certain service, etc. Remember that: it's important.
Since every message is checked for both send *and* receive, in practice, you only need to test one side of this. The standard so far has been to allow clients to send the message to you:
Here's an example for a typical service, this example is pastable:
<policy user="root">
<allow own="com.
</policy>
<policy context="default">
<allow send_destinatio
</policy>
This allows the "root" user to own the "com.ubuntu.
If you wanted to restrict some method calls, you might do something like:
<policy user="root">
<allow own="com.
<allow send_destinatio
</policy>
<policy context="default">
<allow send_destinatio
<deny send_destinatio
</policy>
Note that we explicitly qualified the deny with a "send_destination"; otherwise we'd have denied the EvictGuest method call to *any* service, not just our own - which might be a different interface, or a different service entirely.
There is a case for using receive policy rules, restricting who can receive signals (which are otherwise allowed). For example, to only allow root to receive a signal:
<policy user="root">
<allow own="com.
<allow receive_
</policy>
<policy context="default">
<allow send_destinatio
<deny receive_
</policy>
ie. root can own the bus name, and can receive signals from RoomService; everyone else can send method calls to RoomService but cannot receive signals from it.
Again note that we qualify with the sender, we don't want to deny signals from other services.
--
The above assumes that the def...
Scott James Remnant (Canonical) (canonical-scott) wrote : | #64 |
Bug for signal injection:
Scott James Remnant (Canonical) (canonical-scott) wrote : | #65 |
screen-
Scott James Remnant (Canonical) (canonical-scott) wrote : | #66 |
eggcups: bug #306716
Scott James Remnant (Canonical) (canonical-scott) wrote : | #67 |
gpe-bluetooth: bug #306726
Scott James Remnant (Canonical) (canonical-scott) wrote : | #68 |
kerneloops: bug #306728
Changed in dbus: | |
assignee: | nobody → scott |
Launchpad Janitor (janitor) wrote : | #69 |
This bug was fixed in the package dbus - 1.2.12-0ubuntu1
---------------
dbus (1.2.12-0ubuntu1) jaunty; urgency=low
* New upstream release: (LP: #306362)
- Correct default configuration to deny sending messages that are not
signals or expected replies. [CVE-2008-4311]a
- Default system bus policy cleaned up and clarified.
- Add system logging of method denials and config file reloads.
- Abstract sockets not tested for if explicitly disabled.
- More efficient validation for fixed-size type arrays.
- Serial printed by dbus-monitor.
- New --address option for dbus-send
-- Scott James Remnant <email address hidden> Fri, 16 Jan 2009 11:03:53 +0000
Changed in dbus: | |
status: | In Progress → Fix Released |
Changed in dbus: | |
status: | Unknown → Fix Released |
In freedesktop.org Bugzilla #18229, Joachim Breitner (nomeata) wrote : | #70 |
(In reply to comment #39)
> Release done, lifting security tag. I'll keep this bug open as a data
> gathering point for what to do about the receive aspect.
I’m just going through my bugs here, and noticed this one. Is there still stuff to do or can this bug be closed?
In freedesktop.org Bugzilla #18229, Richard Hughes (richard-hughes) wrote : | #71 |
Yes. I think we can close this now. Thanks.
Changed in dbus: | |
status: | In Progress → Fix Released |
Changed in dbus: | |
importance: | Unknown → Medium |
Changed in dbus: | |
importance: | Medium → Unknown |
Changed in dbus: | |
importance: | Unknown → Medium |
Changed in dbus (Debian): | |
status: | Unknown → Fix Released |
Changed in dbus (Fedora): | |
importance: | Unknown → Medium |
Created an attachment (id=19870)
Possible fix
I think this (git-format-patch created patch) would fix the problem, but of course it should be reviewed first.