[systemd-bugs] [Bug 55062] New: pam_systemd injects libdbus into setuid programs

Tue Sep 18 11:04:47 PDT 2012

https://bugs.freedesktop.org/show_bug.cgi?id=55062

             Bug #: 55062
           Summary: pam_systemd injects libdbus into setuid programs
    Classification: Unclassified
           Product: systemd
           Version: unspecified
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
        AssignedTo: systemd-bugs at lists.freedesktop.org
        ReportedBy: walters at verbum.org
         QAContact: systemd-bugs at lists.freedesktop.org

See: https://bugs.freedesktop.org/show_bug.cgi?id=52202

Basically until this moment we had not spent a lot of time thinking about
libdbus being used from a setuid program.  Unfortunately, pam_systemd
dynamically injects libdbus into anything that uses PAM, which is kind of a
problem from this aspect.

Now, libdbus will likely be "hardened" against such use, but I think any PAM
module needs to be paranoid about this too.

In this case, that means that pam_systemd should filter out any DBUS_
environment variables before initializing libdbus.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.