[systemd-devel] SD_BUS_VTABLE_CAPABILITY

Cameron Norman camerontnorman at gmail.com
Thu Apr 16 12:52:01 PDT 2015 

On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Thu, 16.04.15 09:53, Andy Lutomirski (luto at amacapital.net) wrote:
>
>> > Can you please explain how precisely you think that sd-bus or systemd
>> > or the way they use capabilities is exploitable in any way? You keep
>> > claiming that, but I never have seen more than vague words about
>> > this.
>
> Again, this question is still open. Can you please explain to me how
> you think that sd-bus or systemd's capability code is exploitable? You
> are still very vague about this, and claim it was vulnerable, but I
> really don't see that. I am still genuinely curious?
>
>> > b) sd-bus does not use capabalities for authentication on dbus1
>> >
>> > c) sd-bus uses the caller's capabilities on kdbus for authenticating
>> >    message calls. The kernel provides them racefreely in this case and
>> >    translates them between namespaces if necessary.
>>
>> The kernel will not provide that unless Linus ignores my NACK on that
>> particular point or someone convinces me that (a) there's any reason
>> at all to do so and (b) said reason is a damn good reason.  So far the
>> rather low bar of (a) hasn't been achieved.
>
> Well, first, please see the the other discussion on LKML, the
> CAP_SYS_REBOOT example mentioned there.
>
> It's easy to construct similar examples, for example for timedated,
> where setting the system clock is subject to CAP_SYS_TIME, exactly
> like the underlying system call. Using timedated instead of the system
> call gives you the benefit of syncing things into RTC and some tohers,
> but ultimately it's all about the system clock and should hence be
> protected by the same privilege as the actual system call. Protecting
> the "unsafe" raw system call with fewer privileges than the "safer"
> path through timedated is certainly wrong and the other way round
> to. It should really use the same privs!

As Andy said about the CAP_SYS_BOOT usage, they should NOT use the
same credential.

Setting the raw clock is different from setting the system time
through timedated, and should use different credentials.

Regards,
--
Cameron Norman

More information about the systemd-devel mailing list