external auth mech over unix socket
Yang Chengwei
chengwei.yang at intel.com
Sat Dec 7 01:06:44 PST 2013
On Fri, Dec 06, 2013 at 02:55:23PM -0600, Serge Hallyn wrote:
> Hi,
>
> I'm playing with a dbus daemon over a simple unix socket, which should
> server the whole system. In non-user-namespace use, it works fine,
> client authenticates and makes its requests, server responds, no
> problem.
>
> I'd like it to answer requests from another user namespace as well.
> That means that the client might think it is (read, in its namespace it
> *is*) uid 0, but the daemon sees that it is actually uid 160000. Since
> the server listens over unix socket and the daemon can use so_peercred
> to get the real uid and pid of the client, this should be fine.
> However, the dbus auth protocol includes the client sending its uid
> (which is 0) in the AUTH EXTERNAL message; then the server trying to
> authenticate based on that. Since the client requests uid 0, the server
> checks _dbus_credentials_are_superset() against the socket which is
> owned by 160000, then returns error.
>
> >From here, the auth negotiation proceeds until anonymous seems to
> succeed, but then the client immediately closes its socket rather
> than proceeding.
>
> The daemon source is branch usernstest of github.com/hallyn/cgmanager,
> while test is just
>
> dbus-send --address=unix:path=/tmp/cgmanager --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Poke
>
> run as root in a userns where 0 is mapped to 160000 on the host.
>
> The client sees:
>
> 133 sendto(3, "AUTH EXTERNAL 30\r\n", 18, MSG_NOSIGNAL, NULL, 0) = 18
> 133 poll([{fd=3, events=POLLIN}], 1, 4294967295) = 1 ([{fd=3, revents=POLLIN}])
> 133 read(3, "REJECTED EXTERNAL DBUS_COOKIE_SH"..., 2048) = 46
> 133 geteuid() = 0
> 133 poll([{fd=3, events=POLLOUT}], 1, 4294967295) = 1 ([{fd=3, revents=POLLOUT}])
> 133 sendto(3, "AUTH DBUS_COOKIE_SHA1 30\r\n", 26, MSG_NOSIGNAL, NULL, 0) = 26
> 133 poll([{fd=3, events=POLLIN}], 1, 4294967295) = 1 ([{fd=3, revents=POLLIN}])
> 133 read(3, "REJECTED EXTERNAL DBUS_COOKIE_SH"..., 2048) = 46
> 133 poll([{fd=3, events=POLLOUT}], 1, 4294967295) = 1 ([{fd=3, revents=POLLOUT}])
> 133 sendto(3, "AUTH ANONYMOUS 6c696264627573203"..., 45, MSG_NOSIGNAL, NULL, 0) = 45
> 133 poll([{fd=3, events=POLLIN}], 1, 4294967295) = 1 ([{fd=3, revents=POLLIN}])
> 133 read(3, "OK 33f6659184ac461c2219eaf752a23"..., 2048) = 37
> 133 poll([{fd=3, events=POLLOUT}], 1, 4294967295) = 1 ([{fd=3, revents=POLLOUT}])
> 133 sendto(3, "NEGOTIATE_UNIX_FD\r\n", 19, MSG_NOSIGNAL, NULL, 0) = 19
> 133 poll([{fd=3, events=POLLIN}], 1, 4294967295) = 1 ([{fd=3, revents=POLLIN}])
> 133 read(3, "AGREE_UNIX_FD\r\n", 2048) = 15
> 133 poll([{fd=3, events=POLLOUT}], 1, 4294967295) = 1 ([{fd=3, revents=POLLOUT}])
> 133 sendto(3, "BEGIN\r\n", 7, MSG_NOSIGNAL, NULL, 0) = 7
> 133 poll([{fd=3, events=POLLIN|POLLOUT}], 1, 4294967295) = 1 ([{fd=3, revents=POLLIN|POLLOUT|POLLHUP}])
> 133 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"", 2048}], msg_controllen=0, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 0
> 133 close(3) = 0
>
> I dont' understand why the socket gets closed right after the ANONYMOUS
> mech succeeds. IIUC ANONYMOUS would be fine with me - all I need is
> the socket credentials. Could this be a bug in the anonymous mech
> code, or (more likely) am I misusing something?
To allow anonymous connections, <allow_anonymous/> is necessary, Did
you add it in your message bus .conf?
--
Thanks,
Chengwei
>
> -serge
> _______________________________________________
> dbus mailing list
> dbus at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dbus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/dbus/attachments/20131207/a3decdf7/attachment.pgp>
More information about the dbus
mailing list