From 60b89096e3012d625ff830c93951139e84dfaaee Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 18 Nov 2014 17:34:11 +0000 Subject: [PATCH] Revert "config: change default auth_timeout to 5 seconds" This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea. It appears this change may cause intermittent slow or failed boot, more commonly on slower/older machines, in at least Mageia and possibly also Debian. This would indicate that while the system is under load, system services are not completing authentication within 5 seconds. This change was not the main part of fixing CVE-2014-3639, but does help to mitigate that attack. As such, increasing this timeout makes the denial of service attack described by CVE-2014-3639 somewhat more effective: a local user connecting to the system bus repeatedly from many parallel processes can cause other users' attempts to connect to take longer. If your machine boots reliably with the shorter timeout, and resilience against local denial of service attacks is important to you, putting this in /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf can restore the lower limit: 5000 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431 --- bus/config-parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bus/config-parser.c b/bus/config-parser.c index 7bc9c01..ee2d4e7 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir, * and legitimate auth will fail. If interactive auth (ask user for * password) is allowed, then potentially it has to be quite long. */ - parser->limits.auth_timeout = 5000; /* 5 seconds */ + parser->limits.auth_timeout = 30000; /* 30 seconds */ /* Do not allow a fd to stay forever in dbus-daemon * https://bugs.freedesktop.org/show_bug.cgi?id=80559 -- 2.1.3