[RFC] Making D-Bus suitable for being run early during boot
David Zeuthen
zeuthen at gmail.com
Fri Jul 9 14:16:10 PDT 2010
Hey,
On Fri, Jul 9, 2010 at 4:53 PM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
> Well, most of the really early usespace code is also kinda crucial for
> the entire system. i.e. if systemd dies, the entire system is hosed. If
> D-Bus dies, the entire system is hosed.
No it's not. My point is that this statement just isn't true - right
now, my system runs just fine if I nuke the system bus daemon. Of
course, I can't use any modern desktop etc. etc. so in reality the
system is unusable.
But that's *unimportant*, the important thing is that if the system
bus daemon dies then a hostile unprivileged process can easily just
claim the socket... and since the D-Bus clients *does not*
authenticate the D-Bus server (e.g. the bus daemon) you have a
security problem. Because then any D-Bus client side code (libdbus-1,
gdbus, whatever), will then happily connect to the bus and, say, use
org.freedesktop.PolicyKit1 to check an authorization. The hostile code
can easily mimic this service and, boom, there's your security
problem. So, basically, here's how to gain root for unprivileged code
1. Sit around and wait for dbus-daemon to die
2. Claim the socket and pretend to be a bus daemon
3. Also pretend to be org.freedesktop.PolicyKit1
4. run 'pkexec bash'
5. handle the CheckAuthorization() call on org.freedesktop.PolicyKit1
6. Enjoy being uid 0
Sure, it's all theoretical and only happens if the moon is in the
right phase and the sun shines and so on... but... that's how most
security issues are anyway.
> And again, since systemd can be used to reserve those sockets early on,
> it is really a safe choice i believe -- only of course if you do things
> properly.
That assumes you are using systemd. Which everyone sadly isn't going
to be. And I don't think it's good to require people to be running
systemd to avoid a security problem.
Anyway .... even if you are running systemd there's a short window
between when the system bus daemon dies and systemd is claiming the
socket. So in that case, you are still vulnerable.
So, you really shouldn't be using abstract sockets without each side
authenticating the other end.
David
More information about the dbus
mailing list