bug with 5 code lines

Fri Nov 20 11:03:40 PST 2009

Ralf Habacker schrieb:
> Julien Isorce schrieb:
>> Hi,
>>
>> Thx for the reply.
>>
>> I tried what you suggested:
>>
>> 2 cases, the first works, the second (the one I want) does not work:
>>
>> First case:
>> ---------------------------------
>> I run dbus-daemon --system in command line so the user is Administrator.
>> In other cmd, I run dbus-send --print-reply --system 
>> --dest="org.freedesktop.DBus" /org/freedesktop /DBus/Introspectable 
>> org.freedesktop.DBus.Introspectable.Introspect
>> I got a reply and it's ok.
>> I attached the log of the server to this mail: 
>> dbus-daemon_administrator_classic.log
>> ---------------------------------
>>
>>
>> Second case:
>> ---------------------------------
> I assume in this case you are using DBUS_COOKIE_SHA1 auth
>> I run :
>> cygrunsrv -I dbus-daemon -i --path 
>> /cygdrive/c/dbus/dbus-exe/bin/dbus-daemon.exe --chdir 
>> /cygdrive/c/dbus/dbus-exe --args --system --env DBUS_VERBOSE=1 --env 
>> DBUS_TEST_HOMEDIR=C:\dbus\dbus-exe
>> then: cygrunsrv -S dbus-daemon
>> I can then see the dbus-daemon.exe process in task manager and the 
>> user name is SYSTEM
>>
>> In other cmd, I run dbus-send --print-reply --system 
>> --dest="org.freedesktop.DBus" /org/freedesktop /DBus/Introspectable 
>> org.freedesktop.DBus.Introspectable.Introspect
>> The error from the client is: dbus-send.log attached to this mail
> the second log contains the following entry:
>
> 272: Client authorized as SID 'S-1-5-18' but our SID is 'S-1-5-18', 
> disconnecting
>
> This message coms from dbus/dbus-transport.c::auth_via_default_rules 
> (for the complete code see 
> http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-transport.c)
>
> The default auth rules are [1]:
>
>  /* By default, connection is allowed if the client is 1) root or 2)
>   * has the same UID as us or 3) anonymous is allowed.
>   */
>  if (transport->allow_anonymous ||
>      _dbus_credentials_get_unix_uid (auth_identity) == 0 ||
>      _dbus_credentials_same_user (our_identity,
>                                   auth_identity))
>    {
>
> Because none of the condition is true DBUS_COOKIE_SHA1 auth fails (see 
> the code snippet below)
>
>  else
>    {
>      if 
> (_dbus_credentials_include(our_identity,DBUS_CREDENTIAL_WINDOWS_SID))
>          _dbus_verbose ("Client authorized as SID '%s'"
>                         " but our SID is '%s', disconnecting\n",
>                         _dbus_credentials_get_windows_sid(our_identity),
>                         _dbus_credentials_get_windows_sid(our_identity));
>     else
>
>      _dbus_transport_disconnect (transport);
>      allow = FALSE;
>
> BTW: The code shows also a bug - for the client the server sid is also 
> printed. I found this bug in all available dbus implementations and 
> should be fixed -> patch will follow
>
> If you have the dbus source you may comment out the following line  
> from [1]
>
>      _dbus_credentials_same_user (our_identity,
>                                   auth_identity))
>
Sorry, I was wrong with this patch it is required to not comment out the 
above mentioned line, instead the following lines should be used (both 
our_identity)

     _dbus_credentials_same_user (our_identity,
                                  our_identity))


Regards
 Ralf