Disabling new D-Bus protocol features by default
marcel at holtmann.org
Mon Nov 8 22:26:31 PST 2010
> I'd like to disable the Unix FD passing by default in libdbus-1.
> The reason for this is that when running against old application and binding
> code, receiving a message containing an FD causes unpredictable results.
> Bindings are often written to assume they can understand any type thrown at
> them, so they might throw a fit if they see a type they don't know.
> This could be used as an attack vector from remote applications, including on
> the system bus.
> Applications and bindings that want to use Unix FD passing (or, in the future,
> Maybe types and other things) will have to enable the feature by themselves,
> by calling dbus_connection_open_with_flags or dbus_bus_get_with_flags (or their
> private versions). The rationale is that applications didn't support FD
> passing before, in D-Bus 1.2, so they are being modified right now to support
> the feature anyway.
I agree with Lennart here. This is not a D-Bus issue. The applications
must be able to do input validations. So if they don't validate the
signature properly, then they are broken on so many levels. This patch
is not gonna help. It just tries to hide the problem. This is pure
security by obscurity.
And your security attack vector point exists anyway. I can always send
D-Bus messages with unknown types. As long as the dbus-daemon supports
them, they will be forwarded.
Also you don't wanna put more logic and safety inside the dbus-daemon
since that is the wrong place. I would actually consider taking more and
more checks out of the daemon for performance reasons and let the
applications/bindings deal with it. Relying on only valid data from
dbus-daemon is just wrong. That is a recipe for disaster.
> I thought we had agreed on this during the 1.3 development cycle, but
> apparently it was forgotten. I've realised now that the patch was submitted
> only for the Maybe types, see
> Therefore, I'd like to apply this patch (or equivalent that works):
> This is a behaviour change in D-Bus 1.4, but I believe it's better to modify
> the few apps that are changing to support FD passing while we have time than
> the majority of the apps and the existing, released bindings that don't
> support the new feature.
This is too late now. Fedora 14 and the latest Ubuntu are shipping D-Bus
1.4 and you would break API for applications already using FD passing
The right approach is to get the bindings fixed. And also to fix the
broken application. As stated above they are broken and vulnerable
anyway. I say clearly that the issue needs to be fixed at the root cause
and not worked around at some other place.
More information about the dbus