Bug 2436

Summary: session bus does not restrict connections base on uid
Product: dbus Reporter: Daniel Reed <djr>
Component: coreAssignee: Havoc Pennington <hp>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: high CC: bressers, johnp, mjc
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: possible fix
better fix

Description Daniel Reed 2005-01-31 15:01:53 UTC 
If I login as root and create a session bus, then login as another user, I am
able to use dbus-send to connect to root's session bus.

To reproduce:
Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the
address.
Run dbus-monitor --session

Login as another user on a console, run:
env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send
--dest=org.freedesktop.DBus --type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListServices

The dbus-send gives a message about not being able to print the return value,
and the dbus-monitor on root's session bus shows the ListServices request coming
through.
Comment 1 Havoc Pennington 2005-01-31 15:51:03 UTC 
Created attachment 1802 [details] [review]
possible fix
Comment 2 Havoc Pennington 2005-01-31 15:52:17 UTC 
s/=/==/ in that patch...
Comment 3 Havoc Pennington 2005-01-31 15:59:12 UTC 
Created attachment 1803 [details] [review]
better fix

s/=/==/

After discussion we decided allowing root was bad, you can always put
<allow user="root"/> in the conf file if you want.
Comment 4 Mark J Cox 2005-02-01 05:41:02 UTC 
I've assigned CAN-2005-0201 to this issue.
Comment 5 John (J5) Palmieri 2005-05-02 15:35:08 UTC 
This was fixed some time ago
Comment 6 Daniel Stone 2005-08-29 01:24:41 UTC 
Um.

This patch only ever got applied to the 0.2x branch, which means that 0.3x is
still vulnerable.  Recommend applying this to HEAD and releasing 0.36.2 with no
further changes immediately.
Comment 7 Daniel Stone 2005-08-29 01:39:50 UTC 
restricting to newly-formed dbus security group
Comment 8 Daniel Stone 2005-08-29 01:40:16 UTC 
j5 -- can we do 0.36.2?
Comment 9 John (J5) Palmieri 2005-08-29 13:06:23 UTC 
Fix is in CVS on the DBUS_0_36_2 and HEAD branches and released at http://
Comment 10 John (J5) Palmieri 2005-08-29 15:14:28 UTC 
http://dbus.freedesktop.org/releases/dbus-0.36.2.tar.gz

Opening up bug since it is public

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.