Commit d9ab8931 authored by Simon McVittie's avatar Simon McVittie

Security hardening: force EXTERNAL auth in session.conf on Unix

DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e.
indirectly dependent on high-quality pseudo-random numbers
whereas EXTERNAL authentication (credentials-passing)
is mediated by the kernel and cannot be faked.

On Windows, EXTERNAL authentication is not available,
so we continue to use the hard-coded default (all
authentication mechanisms are tried).

Users of tcp: or nonce-tcp: on Unix will have to comment
this out, but they would have had to use a special
configuration anyway (to set the listening address),
and the tcp: and nonce-tcp: transports are inherently
insecure unless special steps are taken to have them
restricted to a VPN or SSH tunnelling.

Users of obscure Unix platforms (those that trigger
the warning "Socket credentials not supported on this Unix OS"
when compiling dbus-sysdeps-unix.c) might also have to
comment this out, or preferably provide a tested patch
to enable credentials-passing on that OS.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414
parent 77e1b311
......@@ -14,6 +14,16 @@
<listen>@DBUS_SESSION_BUS_LISTEN_ADDRESS@</listen>
<!-- On Unix systems, the most secure authentication mechanism is
EXTERNAL, which uses credential-passing over Unix sockets.
This authentication mechanism is not available on Windows,
is not suitable for use with the tcp: or nonce-tcp: transports,
and will not work on obscure flavours of Unix that do not have
a supported credentials-passing mechanism. On those platforms/transports,
comment out the <auth> element to allow fallback to DBUS_COOKIE_SHA1. -->
@DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL@
<standard_session_servicedirs />
<policy context="default">
......
......@@ -435,6 +435,7 @@ if (WIN32)
set (DBUS_SESSION_CONFIG_FILE "etc/dbus-1/session.conf")
# bus-test expects a non empty string
set (DBUS_USER "Administrator")
set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<!--<auth>EXTERNAL</auth>-->")
else (WIN32)
set (DBUS_SESSION_BUS_LISTEN_ADDRESS "unix:tmpdir=${DBUS_SESSION_SOCKET_DIR}" CACHE STRING "session bus default listening address")
set (DBUS_SESSION_BUS_CONNECT_ADDRESS "autolaunch:" CACHE STRING "session bus fallback address for clients")
......@@ -443,6 +444,9 @@ else (WIN32)
set (DBUS_SYSTEM_CONFIG_FILE ${configdir}/system.conf)
set (DBUS_SESSION_CONFIG_FILE ${configdir}/session.conf)
set (DBUS_USER "root")
# For best security, assume that all non-Windows platforms can do
# credentials-passing.
set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<auth>EXTERNAL</auth>")
endif (WIN32)
set (DBUS_DAEMON_NAME "dbus-daemon" CACHE STRING "The name of the dbus daemon executable")
......
......@@ -122,6 +122,13 @@ if test "$dbus_cygwin" = yes; then
AC_DEFINE(DBUS_CYGWIN,1,[Defined if we run on a cygwin API based system])
fi
# For best security, assume that all non-Windows platforms can do
# credentials-passing.
AS_IF([test "$dbus_win" = yes],
[DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<!--<auth>EXTERNAL</auth>-->"],
[DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<auth>EXTERNAL</auth>"])
AC_SUBST([DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL])
AM_CONDITIONAL(DBUS_WIN, test "$dbus_win" = yes)
AM_CONDITIONAL(DBUS_WINCE, test "$dbus_wince" = yes)
AM_CONDITIONAL(DBUS_UNIX, test "$dbus_unix" = yes)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment