• Simon McVittie's avatar
    Hardening: reject UpdateActivationEnvironment on non-canonical path · 6a3f563a
    Simon McVittie authored
    UpdateActivationEnvironment is the one dbus-daemon API call that is
    obviously dangerous (it is intended for the session bus),
    so the default system.conf does not allow anyone to call it.
    
    It has recently come to the D-Bus maintainers' attention that some
    system services incorrectly install D-Bus policy rules that allow
    arbitrary method calls to any destination as long as they have a
    "safe" object path. This is not actually safe: some system services
    that use low-level D-Bus bindings like libdbus, including dbus-daemon
    itself, provide the same API on all object paths.
    
    Unauthorized calls to UpdateActivationEnvironment are probably just
    resource consumption rather than privilege escalation, because on
    the system bus, the modified environment is only used to execute
    a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid
    handling, and sanitizes its own environment before executing
    the real service. However, it's safest to assume the worst and
    treat it as a potential privilege escalation.
    
    Accordingly, as a hardening measure to avoid privilege escalation on
    systems with these faulty services, stop allowing calls to
    ("/com/example/Whatever",
    "org.freedesktop.DBus.UpdateActivationEnvironment")
    and only allow ("/org/freedesktop/DBus",
    "org.freedesktop.DBus.UpdateActivationEnvironment").
    
    We deliberately continue to provide read-only APIs like
    GetConnectionUnixUser at all object paths, for backwards compatibility.
    Reviewed-by: Thiago Macieira's avatarThiago Macieira <thiago@kde.org>
    [adjusted commit message to note that this is probably only DoS -smcv]
    6a3f563a
driver.h 2.39 KB