-
Simon McVittie authored
UpdateActivationEnvironment is the one dbus-daemon API call that is obviously dangerous (it is intended for the session bus), so the default system.conf does not allow anyone to call it. It has recently come to the D-Bus maintainers' attention that some system services incorrectly install D-Bus policy rules that allow arbitrary method calls to any destination as long as they have a "safe" object path. This is not actually safe: some system services that use low-level D-Bus bindings like libdbus, including dbus-daemon itself, provide the same API on all object paths. Unauthorized calls to UpdateActivationEnvironment are probably just resource consumption rather than privilege escalation, because on the system bus, the modified environment is only used to execute a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid handling, and sanitizes its own environment before executing the real service. However, it's safest to assume the worst and treat it as a potential privilege escalation. Accordingly, as a hardening measure to avoid privilege escalation on systems with these faulty services, stop allowing calls to ("/com/example/Whatever", "org.freedesktop.DBus.UpdateActivationEnvironment") and only allow ("/org/freedesktop/DBus", "org.freedesktop.DBus.UpdateActivationEnvironment"). We deliberately continue to provide read-only APIs like GetConnectionUnixUser at all object paths, for backwards compatibility. Reviewed-by: Thiago Macieira <thiago@kde.org> [adjusted commit message to note that this is probably only DoS -smcv]
6a3f563a