The EXTERNAL authentication method doesn't work if the effective UID of the client is different from its real UID, which happens for instance on setuid applications. That's because the client sends its real UID while the server checks the effective UID. Here's a pseudo-callstack of the client: 1/ handle_client_response_mech() 2/ dbus_credentials_add_from_current_process() 3/ _dbus_credentials_add_unix_uid() 4/ _dbus_getuid() 5/ getuid() While the server gets the effective uid in _dbus_read_credentials_socket() (through SO_PEERCRED and other methods). I guess _dbus_credentials_add_unix_uid() should call _dbus_geteuid() (which doesn't exist yet), but i'm not sure about how much code depends on the current behaviour of that function.
Created attachment 11019 [details] Testcase
Created attachment 11020 [details] [review] Patch against CVS HEAD
Created attachment 11021 [details] [review] Patch against CVS HEAD (fixed) The previous patch replaced _dbus_getuid() by _dbus_geteuid() in the wrong place. My bad.
Thanks, when applying this it would be worth grepping for all other uses of _dbus_getuid() and see if they should be euid as well.
After a quick look, I'd say that every getuid should be changed to geteuid, except the one in dbus-userdb.c. Also, my patch lacks of a _dbus_geteuid() in dbus-sysdeps-win.c (which should return DBUS_UID_UNSET).
Havoc, can I apply this and do the other _dbus_geteuid fixes? Andrea, I don't totally understand your last comment about dbus-sysdeps-win.c. Can you clarify? Is it an indepth fix or something easy?
patch looks fine to me. John, the windows fix is to just cut-and-paste the dbus_geteuid() implementation into the windows file, but have it always return DBUS_UID_UNSET. You could do the windows fix or just leave it for the windows team.
Bugzilla Upgrade Mass Bug Change NEEDSINFO state was removed in Bugzilla 3.x, reopening any bugs previously listed as NEEDSINFO. - benjsc fd.o Wrangler
committed, and other files fixed. Thanks
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.