#307 closed enhancement (fixed)
DBus policy needs checking
Reported by: | morgs | Owned by: | erikos |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | Sugar | Version: | Git as of bugdate |
Severity: | Minor | Keywords: | |
Cc: | Distribution/OS: | Ubuntu | |
Bug Status: | Assigned |
Description
This issue was reported on Sugar 0.82.x in Ubuntu Jaunty, but affects 0.83 and will probably affect all distros sooner or later.
https://bugs.launchpad.net/ubuntu/+source/sugar/+bug/318752/
sugar builds one or more binary packages that contain D-Bus system bus services. The following were detected: universe/x11/sugar etc/dbus-1/system.d/NetworkManagerInfo.conf The D-Bus policy needs checking! It was discovered that the default policy of the D-Bus system bus was not as was expected, due to a quirk of the language. In fact, whereas the default policy was supposed to have been that messages would not be allowed by default, the default was in fact that messages _were_ allowed! CVE-2008-4311 was issued, and a new release of D-Bus was updated to correct the default policy to be deny-by-default. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4311 It was quickly discovered that the policy files shipped by most services no longer worked, and that many were (inadvertently, perhaps) relying on the misconfiguration of the daemon. A new version of D-Bus has been uploaded to jaunty co correct this. Please read the following carefully to assist with updating the configuration. The default policy of the D-Bus system bus is: - Name ownership is DENIED by default. - Method calls are DENIED by default. - Replies to method calls, including errors, are PERMITTED by default. - Signals are PERMITTED by default. Therefore each service MUST, in its policy configuration: - Permit an appropriate user to own the name it wishes to claim: <policy user="example"> <allow own="com.ubuntu.Example" /> </policy> - Allow method calls to be made on objects it exports, for particular users. This may be done in a number of different ways. You may simply allow all method calls to your claimed name: <policy context="default"> <allow send_destination="com.ubuntu.example" /> </policy> You may allow method calls to particular interfaces you export, especially useful if you have privileged and non-privileged interfaces: <policy context="default"> <allow send_destination="com.ubuntu.example" send_interface="com.ubuntu.Example" /> </policy> <policy user="root"> <allow send_destination="com.ubuntu.example" send_interface="com.ubuntu.Example.System" /> </policy> *IMPORTANT* you MUST include send_destination on ALL allow or deny tags. Omitting it is a SERIOUS bug! <!-- !! SERIOUS BUG !! --> <allow send_interface="x.y.z" /> This allows any service to receive method calls of the given interface, not just your own service! It also implicitly allows any service to receive method calls with no interface specified, in case they match this interface! Using the above means you are potentially allowing exploiting of a different service. DO NOT DO IT! <!-- !! SERIOUS BUG !! --> <deny send_interface="x.y.z" /> This denies all services from receiving method calls of the given interface, not just your own service! It also implicitly denies all services from receiving method calls with no interface specified. DO NOT DO IT! - You must allow standard interfaces as well, such as Introspection and Properties: <policy context="default"> <allow send_destination="com.ubuntu.example" send_interface="org.freedesktop.DBus.Introspectable" /> <allow send_destination="com.ubuntu.example" send_interface="org.freedesktop.DBus.Properties" /> </policy> - You should not normally allow receipt of any messages sent from your interface, this is also the default. (ie. remove any lines of the form <allow receive_*>) - You do not normally need to deny any messages, this is the default. (ie. remove any lines of the form <deny...>) You should fully test the service with the new D-Bus after updating the policy, you'll need to restart the bus daemon for that (it's probably easier to reboot). If messages are being denied, it will be logged in /var/log/auth.log as follows: Dec 19 14:17:53 space-ghost dbus: Rejected send message, 1 matched rules; type="method_return", sender=":1.26" (uid=0 pid=2966 comm="/usr/libexec/nm-dispatcher.action ") interface="(unset)" member="(unset)" error name="(unset)" requested _reply=0 destination=":1.18" (uid=0 pid=2806 comm="NetworkManager --pid-file=/var/run/NetworkManager/")) Be aware that a denied message may still happen if you have other invalid policy installed (such as those which don't qualify allow/deny rules with the destination!). Take the opportunity to fix all you see.
Change History (13)
comment:1 Changed 15 years ago by morgs
comment:2 Changed 15 years ago by tomeu
- Bug Status changed from Unconfimed to Assigned
- Milestone changed from Unspecified by Release Team to 0.84
- Owner changed from marcopg to erikos
- Status changed from new to assigned
comment:3 Changed 15 years ago by erikos
This is the recent nm-user-settings.conf from nm-applet. It seems to work all right on Soas for me -> I can get information from the AP.
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <policy user="root"> <allow own="org.freedesktop.NetworkManagerUserSettings"/> <allow send_destination="org.freedesktop.NetworkManagerUserSettings"/> </policy> <policy at_console="true"> <allow own="org.freedesktop.NetworkManagerUserSettings"/> <allow send_destination="org.freedesktop.NetworkManagerUserSettings"/> <!-- Only root can get secrets --> <deny send_destination="org.freedesktop.NetworkManagerUserSettings" send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/> </policy> <policy context="default"> <deny send_destination="org.freedesktop.NetworkManagerUserSettings"/> <allow send_destination="org.freedesktop.NetworkManagerUserSettings" send_interface="org.freedesktop.DBus.Introspectable"/> </policy> <limit name="max_replies_per_connection">512</limit> </busconfig>
comment:4 Changed 15 years ago by erikos
- Priority changed from Unspecified by Maintainer to Immediate
- Severity changed from Major to Blocker
comment:5 Changed 15 years ago by erikos
comment:6 Changed 15 years ago by erikos
comment:7 Changed 15 years ago by morgs
Looks good to me.
comment:8 Changed 15 years ago by erikos
- Milestone changed from 0.84 to 0.86
- Severity changed from Blocker to Minor
- Type changed from defect to enhancement
We have still two deny in the config file. But I think it works like that - as nm-applet uses the same config file. But could probably be enhanced later.
comment:9 Changed 14 years ago by erikos
- Priority changed from Immediate to Normal
comment:11 Changed 14 years ago by tomeu
- Milestone changed from 0.86 to 0.88
This has missed the 0.86 release :(
comment:12 Changed 14 years ago by tomeu
Simon, what needs to be done here (if anything)?
comment:13 Changed 10 years ago by dnarvaez
- Resolution set to fixed
- Status changed from assigned to closed
Note: See
TracTickets for help on using
tickets.
Debian fixed this for 0.82.x with this patch:
http://git.debian.org/?p=collab-maint/sugar.git;a=blob;f=debian/patches/2004_strip_dbus_interface_hints.patch;h=f6d94c124dffa673c83aaba59b76a1907b4346aa;hb=eb3457454551519549fab9fb8a2a4886b41e1511
However for 0.83.x we have allow and deny for send_interface in nm-user-settings.conf e.g.
<deny send_interface="org.freedesktop.NetworkManagerSettings.Secrets"/>
so that's more complex and we can't simply drop all the <allow send_interface...> and <deny send_interface...>.