[PATCH] fill_user_info: fake user info for 'root' if it can not be found
Krzysztof Konopko
krzysztof.konopko at gmail.com
Wed Feb 27 09:26:19 PST 2013
2013/2/27 Simon McVittie <simon.mcvittie at collabora.co.uk>
> On 26/02/13 22:15, Krzysztof Konopko wrote:
> > Rummaging in /proc for credentials is an interesting approach: if
> done
> > incorrectly it can be a time of check/time of use vulnerability, but
> I
> > think you've avoided that.
> >
> >
> > I've been considering tidying it up and making generic enough to
> > potentially replace some getpw*() calls altogether as the latter ones
> > are just an "implementation detail". In many cases all that D-Bus
> > daemon cares about is the same what the kernel cares about: numbers
> > (UIDs/GIDs).
>
> getpw*() and getgrouplist() are the only portable interface for this:
> /proc is Linux-specific.
>
Oh yes, this would be Linux-specific.
>
> If you wanted to extend the D-Bus policy language to support
>
> <policy user="#0">...</policy>
> <policy group="#42">...</policy>
>
> which didn't bother with a getpwnam() or getpwuid() and just did simple
> integer matching, that would be fine. (If you do: bug report, please.)
>
I thought it's already supported but personally I don't think it's a good
idea to use it. To me policies should be based on "static" (well defined)
users and groups that exist on the system when dbus-daemon starts and that
can be referred by human-readable names. Otherwise IMO it leads to sloppy
policies.
OTH I think it's fine (to some degree) if a process joins a group
"dynamically" or runs with a "dynamically" assigned UID so that policies
can be leveraged to the full extent. The idea here is inspired by the
aforementioned Android where a newly installed application gets a unique
UID assigned and becomes a member of groups required for its normal
operation. So one gets nice privilege separation but it becomes tricky if
anything like /etc/{passwd,group} has to be modified to achieve this. My
approach was to separate these concerns in D-Bus by detaching from standard
libc getpw*() approach wherever possible.
>
> Similarly, I wouldn't object to a patchset which tried to obtain peer
> processes' groups via /proc on Linux, falling back to mapping the uid to
> a username then calling getgrouplist() for that username on other Unix
> platforms - but this would need to be checked for regressions on at
> least one non-/proc Unix platform, and I suspect the code structure may
> make this harder than it looks at first glance. That would resolve
> <https://bugs.freedesktop.org/show_bug.cgi?id=9328> if implemented.
>
I'm keen to make such an attempt. With small patches and well understood
steps I think it's plausible. It won't be a rapid activity though due to
limited amount of my spare time. Looking forward though to get on with it.
>
> S
>
Cheers,
Kris
> _______________________________________________
> dbus mailing list
> dbus at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dbus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/dbus/attachments/20130227/c87f92bb/attachment-0001.html>
More information about the dbus
mailing list