• Simon McVittie's avatar
    Change _dbus_create_directory to fail for existing directories · be51bfe9
    Simon McVittie authored
    If we don't trap EEXIST and its Windows equivalent, we are unable to
    detect the situation where we create an ostensibly unique
    subdirectory in a shared /tmp, but an attacker has already created it.
    This affects dbus-nonce (the nonce-tcp transport) and the activation
    reload test.
    
    Add a new _dbus_ensure_directory() for the one case where we want it to
    succeed even on EEXIST: the DBUS_COOKIE_SHA1 keyring, which we know
    we are creating in our own trusted "official" $HOME. In the new
    transient service support on Bug #99825, ensure_owned_directory()
    would need the same treatment.
    
    We are not treating this as a serious security problem, because the
    nonce-tcp transport is rarely enabled on Unix and there are multiple
    mitigations.
    
    The nonce-tcp transport creates a new unique file with O_EXCL and 0600
    (private to user) permissions, then overwrites the requested filename
    via atomic-overwrite, so the worst that could happen there is that an
    attacker could place a symbolic link matching the name of a directory
    we are going to create, causing a dbus-daemon configured for nonce-tcp
    to traverse the symlink and atomically overwrite a file named "nonce"
    in a directory of the attacker's choice, with new random contents that
    are not known to the attacker. This seems unlikely to be exploitable
    for anything worse than denial of service in practice. In mainline
    Linux since 3.6, this attack is also defeated by the
    fs.protected_symlinks sysctl, which many distributions enable by default.
    
    The activation reload test suffers from a classic symlink attack
    due to time-of-check/time-of-use errors in its implementation, but as
    part of the developer-only "embedded tests" that are only intended
    to be run on a trusted machine, it is not treated as security-sensitive.
    That code path will be fixed in a subsequent commit.
    
    Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99828Signed-off-by: 's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
    Reviewed-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
    be51bfe9
dbus-keyring.c 30.5 KB