Some odd issues with D-Bus on Solaris
Havoc Pennington
hp at redhat.com
Tue Sep 4 18:47:47 PDT 2007
Hi,
On 9/4/07, Brian Cameron <Brian.Cameron at sun.com> wrote:
> When we build D-Bus, we call configure with the following
>
> --with-dbus-user=root
>
> I can see in the configure.in script that the default value is messagebus,
> so I'm guessing D-Bus might want the system to have a new user and group of
> this name? Are there any issues with just using root?
It is substantially less secure all else equal. The "messagebus" user
is intended to be a "nobody" type of user with no permissions to do
anything; so if there were a buffer-overflow type exploit in
dbus-daemon, the attacker would need to then additionally use
dbus-daemon to exploit something else, since gaining user "messagebus"
is not very useful. However, if you run dbus-daemon as root, then
exploiting dbus-daemon is good enough on its own.
> /usr/lib/dbus-daemon-launch-helper
(should be /usr/libexec?)
> I'm wondering what breaks if Solaris doesn't set ownership and permissions
> for this program appropriately.
The dbus-daemon-launch-helper is used to start up a systemwide daemon
and set that daemon to an appropriate user ID. For example, with
Richard's new PackageKit I think it starts up a systemwide daemon that
does package management (and probably runs as root, though I haven't
looked). These systemwide daemons that can be started by the helper
are described in .service files. The launch helper takes the name of a
service file as input, so it can't be used to start up anything that
doesn't have a .service file in the appropriate directory.
Since dbus-daemon is not running as root, it can't set the user ID for
any daemons that it starts, that's where the launch helper comes in.
The launch helper has to be setuid so it can run as root when started
by the non-root dbus-daemon. Since the launch helper is running as
root it can start services running as whoever.
If you are running dbus-daemon as root, then you don't need the launch
helper to be setuid. In fact the launch helper would not be necessary
if you made a simple change to dbus-daemon to set the effective uid of
the launched child (right now the set-the-user-id code just isn't in
dbus-daemon, since we didn't know anyone was running dbus-daemon as
root). With that change to dbus-daemon you could remove the launch
helper from system.conf and not install the launch helper at all.
My advice would be to copy the default setup (run dbus-daemon as a
no-privileges "nobody" user, and have a setuid launch helper).
If you don't have any packages on Solaris that use the system bus
service-launching feature (i.e. if you have no systemwide .service
files), then you could just not install the launch helper, btw, which
would be a pretty good solution until such time as you do have
something that needs the feature. Remove the launch helper and the
service directory configuration from system.conf and you'll be all
set.
The long-term plan on Linux may be to basically get rid of initscripts
(at least for nonlegacy, desktop-type systemwide daemons) and just
have everything launched on demand by the bus daemon. For Solaris if
you follow this path you'd need to figure out the launch helper thing
and if you don't follow this path you could just remove the service
directory and launch helper config from system.conf.
Havoc
More information about the dbus
mailing list