Commit 47b1a4c4 authored by Simon McVittie's avatar Simon McVittie
Browse files

auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner

The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.

Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.

Joe Vennix of...
parent 95340593
......@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth,
DBusString tmp2;
dbus_bool_t retval = FALSE;
DBusError error = DBUS_ERROR_INIT;
DBusCredentials *myself = NULL;
_dbus_string_set_length (&auth->challenge, 0);
......@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth,
return FALSE;
myself = _dbus_credentials_new_from_current_process ();
if (myself == NULL)
goto out;
if (!_dbus_credentials_same_user (myself, auth->desired_identity))
* DBUS_COOKIE_SHA1 is not suitable for authenticating that the
* client is anyone other than the user owning the process
* containing the DBusServer: we probably aren't allowed to write
* to other users' home directories. Even if we can (for example
* uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
* must not, because the other user controls their home directory,
* and could carry out symlink attacks to make us read from or
* write to unintended locations. It's difficult to avoid symlink
* attacks in a portable way, so we just don't try. This isn't a
* regression, because DBUS_COOKIE_SHA1 never worked for other
* users anyway.
_dbus_verbose ("%s: client tried to authenticate as \"%s\", "
"but that doesn't match this process",
_dbus_string_get_const_data (data));
retval = send_rejected (auth);
goto out;
/* we cache the keyring for speed, so here we drop it if it's the
* wrong one. FIXME caching the keyring here is useless since we use
* a different DBusAuth for every connection.
......@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth,
_dbus_string_zero (&tmp2);
_dbus_string_free (&tmp2);
if (myself != NULL)
_dbus_credentials_unref (myself);
return retval;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment