[patch] dbus system activation

Richard Hughes hughsient at gmail.com
Wed Jun 13 10:57:39 PDT 2007


The dbus-daemon runs as the dbus user, and is therefore unprivileged.
Earlier attempts [1] by David Zeuthen at launching system daemons using
a custom DBUS protocol were reviewed, but deemed too difficult to audit,
and also due to a multi-threaded design, too difficult to test. In the
next few paragraphs I will outline a simpler setuid approach for
launching daemons as a configured user.


Launching programs using dbus has been a topic of interest for many
months. This would allow simple systems to only start services that are
needed, and that are automatically started only when first requested.
This removes the need for an init system, and means that we can
trivially startup services in parallel. This has immediate pressing need
for OLPC, with a longer term evaluation for perhaps Fedora and RHEL.


In this implementation I have an single executable,
dbus-daemon-activation-helper, with the ownership root:dbus. This has
the permissions 4750, i.e. u+rwx g+rx +setuid. It is currently located
in /usr/libexec/.

The helper must not be passed input that can be changed maliciously, and
therefore passing a random path with user id is totally out of the
question. In this implementation a similar idea as discussed with
Davids' patch was taken, that to pass a single name argument to the
helper. This service name "org.me.test" is then searched for in
the .server files in /usr/share/dbus/services. A typical service file
would look like:

[D-BUS Service]

This gives the user and group to switch to, and also the path of the
executable. The service name must match that specified in
the /etc/dbus-1/system.d conf file.

Precautions taken:
• Only the bus name is passed to the helper, and this is validated
• We are super paranoid about the user that called us, and what
permissions we have.
• We clear all environment variables except for DBUS_VERBOSE which is
used for debugging
• Anything out of the ordinary causes the helper to abort.


• This is the first time I have worked on DBUS core or any security
sensitive applications so there may be big glaring errors. This needs
reviewing carefully.
• The standard_session_servicedirs command is used in the system file,
which we need to decide what do do with.
• The system "org.me.test" scripts are not integrated with make check,
and are just dumped in test.


./autogen.sh --enable-verbose-mode --with-dbus-user=dbus
su -l
make install
rm /usr/local/var/run/messagebus.pid
cp -v test/org.me.test.conf /usr/local/etc/dbus-1/system.d/
cp -v test/org.me.test.service /usr/local/share/dbus-1/services/
cp -v test/dbus-test-server.py /usr/local/sbin/
DBUS_VERBOSE=1 /usr/local/bin/dbus-daemon
--config-file /usr/local/etc/dbus-1/system.conf --nofork
(as another user)
dbus-send  --system \
	--dest=org.me.test \
	--type=method_call \
	--print-reply /org/me/test \
	org.me.test.SetDisplayBrightness int32:0

I have a F7 SRPM [2] with this patch if this would be easier to test.

Thanks guys,

Richard Hughes

[1] http://lists.freedesktop.org/archives/dbus/2006-October/006096.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus-system-activation-04.patch
Type: text/x-patch
Size: 28847 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/dbus/attachments/20070613/9bfd212d/attachment-0001.bin 

More information about the dbus mailing list