Anonymous auth method is broken

Havoc Pennington havoc.pennington at gmail.com
Sat Jan 31 12:14:08 PST 2009


Hi,

On Sat, Jan 31, 2009 at 2:43 PM, Peter Würtz <wuertz at uni-mainz.de> wrote:
> I took some time to examine the anonymous method further. The problem is
> not related to TCP/IP. The anonymous method is not doing anything at all
> at the moment. According to ChangeLog.pre-1-2, there is a
> "allow_anonymous" flag which has been added some time ago (2007-06-12).
> The "auth_via_default_rules" method relies on this flag if you want
> anonymous access to succeed. But the flag is completely unused. Its not
> even initialized. So if you choose to be pedantic about that, there is a
> security hole in dbus because "auth_via_default_rules" accesses an
> undefined flag, which is luckily zero by default.

It isn't luckily zero, the struct is allocated with dbus_new0 which
inits all bits 0. So it will always be 0 (that is the intent anyway).

> I'm not sure how to use this flag properly. The flag belongs to the
> DBusTransport struct. But the anonymous auth methods in dbus-auth.c
> don't have access to any transport object, thus the anonymous method
> cannot set the allow_anonymous flag for itself. So actually you have to
> move the flag from the DBusTransport struct to the DBusCredentials
> struct and let the anonymous auth method enable it, right?

dbus_connection_set_allow_anonymous() should be called by the server
(DBusServer API user) that wants to allow connections that have not
proven themselves to have any identity. dbus-daemon never does this
because it doesn't necessarily know what to do with an identity-less
connection, though it may mostly do the right thing in that case
already, I have not personally audited dbus-daemon for this or thought
about what 'should' happen if an identity-less connection is on the
system or session bus.

> On the other hand, the default session-bus configuration from my distro
> does not specify any auth methods, so any auth method is allowed by
> default, even the anonymous auth method, which does not work luckily. So
> maybe the anonymous method is supposed to be broken.

It is supposed to be useless (not broken) with dbus-daemon; you can
auth as nobody (i.e. the auth mechanism works), but the daemon doesn't
allow connections authed as nobody, so as soon as you auth it is going
to toss you off.

Havoc


More information about the dbus mailing list