The Plan for CVE-2008-4311

Scott James Remnant scott at canonical.com
Tue Dec 23 23:23:44 PST 2008 

On Tue, 2008-12-23 at 12:54 -0500, Colin Walters wrote:

> On Mon, Dec 22, 2008 at 3:44 AM, Scott James Remnant
> <scott at canonical.com> wrote:
> > On Wed, 2008-12-17 at 18:10 -0500, Colin Walters wrote:
> >
> >> Concurrently, we apply these fixes to continuing the 1.2.X stream.
> >> The primary difference between 1.2.X and 1.2.4.Xpermissive is simply
> >> the default policy for method calls.  In 1.2.X it will be deny (as
> >> intended originally), and 1.2.4.Xpermissive it will be permissive.
> >>
> > I'd like to see the default for signals be deny as well, since we're
> > fixing application policy anyway, we should fix the apps to allow others
> > to receive their signals.
> 
> The problem is that regardless, one needs to check the message sender
> on the recipient side for generic interfaces; e.g. the
> "PropertiesChanged" signal that IIRC was proposed as an addition to
> the standard.  So, it is a binding/application issue.
> 
Sure, but this is analogous to filling in the destination bus name when
making a method call from a client.

Fill in the bus name when sending, check the bus name when receiving
signals (ie. put it in the match).

> Now, it would probably make sense for services to be able to
> effectively claim an interface prefix in the security file.  Retaining
> the permissive default this would look maybe something like:
> 
> <deny  sender_not="org.freedesktop.Hal",
> receive_interface="org.freedesktop.Hal.*"/>
> 
I don't see why this helps?

If deny is the default for signals, then services simply do:

<allow sender="org.freedesktop.Hal"
       send_interface="org.freedesktop.Hal"/>

This is analogous to their existing receive policy lines.


This means all services do two symmetrical things, and all clients do
two symmetrical things.  Policy and ACLs are much easier to understand
when they're symmetrical.

Plus your "deny sender_not" has interestingly weird overlapping
semantics when you want two services to implement the same interface.

Scott
-- 
Scott James Remnant
scott at canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.freedesktop.org/archives/dbus/attachments/20081224/fd2ed8c0/attachment.pgp

More information about the dbus mailing list