[systemd-bugs] [Bug 55062] New: pam_systemd injects libdbus into setuid programs
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Sep 18 11:04:47 PDT 2012
https://bugs.freedesktop.org/show_bug.cgi?id=55062
Bug #: 55062
Summary: pam_systemd injects libdbus into setuid programs
Classification: Unclassified
Product: systemd
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: general
AssignedTo: systemd-bugs at lists.freedesktop.org
ReportedBy: walters at verbum.org
QAContact: systemd-bugs at lists.freedesktop.org
See: https://bugs.freedesktop.org/show_bug.cgi?id=52202
Basically until this moment we had not spent a lot of time thinking about
libdbus being used from a setuid program. Unfortunately, pam_systemd
dynamically injects libdbus into anything that uses PAM, which is kind of a
problem from this aspect.
Now, libdbus will likely be "hardened" against such use, but I think any PAM
module needs to be paranoid about this too.
In this case, that means that pam_systemd should filter out any DBUS_
environment variables before initializing libdbus.
--
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the systemd-bugs
mailing list