2436 – session bus does not restrict connections base on uid

Bug 2436 - session bus does not restrict connections base on uid

Summary: session bus does not restrict connections base on uid

Status:	RESOLVED FIXED

Alias:	None

Product:	dbus
Classification:	Unclassified
Component:	core (show other bugs)
Version:	unspecified
Hardware:	x86 (IA32) Linux (All)

Importance:	high major
Assignee:	Havoc Pennington
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-01-31 15:01 UTC by Daniel Reed
Modified:	2006-08-01 10:26 UTC (History)
CC List:	3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
possible fix (1.92 KB, patch) 2005-01-31 15:51 UTC, Havoc Pennington	Details \| Splinter Review
better fix (1.89 KB, patch) 2005-01-31 15:59 UTC, Havoc Pennington	Details \| Splinter Review
Show Obsolete (1) View All

Description Daniel Reed 2005-01-31 15:01:53 UTC

If I login as root and create a session bus, then login as another user, I am
able to use dbus-send to connect to root's session bus.

To reproduce:
Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the
address.
Run dbus-monitor --session

Login as another user on a console, run:
env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send
--dest=org.freedesktop.DBus --type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListServices

The dbus-send gives a message about not being able to print the return value,
and the dbus-monitor on root's session bus shows the ListServices request coming
through.

Comment 1 Havoc Pennington 2005-01-31 15:51:03 UTC

Created attachment 1802 [details] [review]
possible fix

Comment 2 Havoc Pennington 2005-01-31 15:52:17 UTC

s/=/==/ in that patch...

Comment 3 Havoc Pennington 2005-01-31 15:59:12 UTC

Created attachment 1803 [details] [review]
better fix

s/=/==/

After discussion we decided allowing root was bad, you can always put
<allow user="root"/> in the conf file if you want.

Comment 4 Mark J Cox 2005-02-01 05:41:02 UTC

I've assigned CAN-2005-0201 to this issue.

Comment 5 John (J5) Palmieri 2005-05-02 15:35:08 UTC

This was fixed some time ago

Comment 6 Daniel Stone 2005-08-29 01:24:41 UTC

Um.

This patch only ever got applied to the 0.2x branch, which means that 0.3x is
still vulnerable.  Recommend applying this to HEAD and releasing 0.36.2 with no
further changes immediately.

Comment 7 Daniel Stone 2005-08-29 01:39:50 UTC

restricting to newly-formed dbus security group

Comment 8 Daniel Stone 2005-08-29 01:40:16 UTC

j5 -- can we do 0.36.2?

Comment 9 John (J5) Palmieri 2005-08-29 13:06:23 UTC

Fix is in CVS on the DBUS_0_36_2 and HEAD branches and released at http://

Comment 10 John (J5) Palmieri 2005-08-29 15:14:28 UTC

http://dbus.freedesktop.org/releases/dbus-0.36.2.tar.gz

Opening up bug since it is public

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.