Some odd issues with D-Bus on Solaris
Brian Cameron
Brian.Cameron at Sun.COM
Wed Sep 5 10:51:13 PDT 2007
Havoc:
Thanks for explaining how dbus-daemon-launch-helper works.
>> I can see in the configure.in script that the default value is messagebus,
>> so I'm guessing D-Bus might want the system to have a new user and group of
>> this name? Are there any issues with just using root?
>
> It is substantially less secure all else equal. The "messagebus" user
> is intended to be a "nobody" type of user with no permissions to do
> anything; so if there were a buffer-overflow type exploit in
> dbus-daemon, the attacker would need to then additionally use
> dbus-daemon to exploit something else, since gaining user "messagebus"
> is not very useful. However, if you run dbus-daemon as root, then
> exploiting dbus-daemon is good enough on its own.
>
>> /usr/lib/dbus-daemon-launch-helper
>
> (should be /usr/libexec?)
On Solaris, we ship libexec programs in /usr/lib.
> My advice would be to copy the default setup (run dbus-daemon as a
> no-privileges "nobody" user, and have a setuid launch helper).
>
> If you don't have any packages on Solaris that use the system bus
> service-launching feature (i.e. if you have no systemwide .service
> files), then you could just not install the launch helper, btw, which
> would be a pretty good solution until such time as you do have
> something that needs the feature. Remove the launch helper and the
> service directory configuration from system.conf and you'll be all
> set.
Could you list common things that use such system-wide services?
I think this might help me understand if we are shipping such things
on Solaris. (aside from PackageKit).
On Solaris, there are a bunch of services in /usr/share/dbus-1/services
and nothing in /usr/share/dbus-1/system-services.
In /etc/dbus-1/session.d, there are no files, and in /etc/dbus-1/system.d
we only ship a hal.conf file. Once we update to using the new D-Bus
version of GDM we will also need to have a ConsoleKit.conf and a gdm.conf.
Would this indicate that we are using systemwide services or not?
When you say remove the launch helper and the service directory configuration
from system.conf I assume you mean /etc/dbus-1/system.conf. Do you mean these
lines:
<servicehelper>/usr/lib/dbus-daemon-launch-helper</servicehelper>
[...]
<!-- Config files are placed here that among other things, punch
holes in the above policy for specific services. -->
<includedir>system.d</includedir>
If you comment out these lines, does setting --with-dbus-user=root
make sense?
> The long-term plan on Linux may be to basically get rid of initscripts
> (at least for nonlegacy, desktop-type systemwide daemons) and just
> have everything launched on demand by the bus daemon. For Solaris if
> you follow this path you'd need to figure out the launch helper thing
> and if you don't follow this path you could just remove the service
> directory and launch helper config from system.conf.
I'm not sure what the plan here is for Solaris. Artem pointed out
that on Solaris we might need to use a different approach of "least
privilege", so it might be a bit of work to get this feature working
on Solaris. Though it might be worth arguing to go along with the
existing Linux process of using the messagebus user in the meantime.
I'll have to start some discussions with the security people here
at Sun to find out.
Brian
More information about the dbus
mailing list