|
|
Log in / Subscribe / Register

Re: Issues with capability bits and meta-data in kdbus

[Posted April 22, 2015 by corbet]

From:  One Thousand Gnomes <gnomes-AT-lxorguk.ukuu.org.uk>
To:  Linus Torvalds <torvalds-AT-linux-foundation.org>
Subject:  Re: Issues with capability bits and meta-data in kdbus
Date:  Wed, 22 Apr 2015 11:45:38 +0100
Message-ID:  <20150422114538.0f8b3d04@lxorguk.ukuu.org.uk>
Cc:  "Eric W. Biederman" <ebiederm-AT-xmission.com>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Andrew Morton <akpm-AT-linux-foundation.org>, Arnd Bergmann <arnd-AT-arndb.de>, Tom Gundersen <teg-AT-jklm.no>, Jiri Kosina <jkosina-AT-suse.cz>, Andy Lutomirski <luto-AT-amacapital.net>, Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>, Daniel Mack <daniel-AT-zonque.org>, David Herrmann <dh.herrmann-AT-gmail.com>, Djalal Harouni <tixxdz-AT-opendz.org>
Archive‑link:  Article

> > - Access to the capability bits is guarded with PTRACE_MAY_READ
> >   kdbus does not honor that and thus leaks information.
> 
> Now, this is likely not a real problem.
> 
> Yes, when you try to read other processes capabilities, you need
> PTRACE_MAY_READ to see them. HOWEVER, that's not really what a kdbus
> message would do - it doesn't "read somebody elses capabilities". When
> you do a kdbus write, you export your *own* capabilities. If you don't
> want others to know what privileges you have, then you shouldn't be
> using kdbus.

That's broken but fixable.

It should not share any capability information *unless* you pass a flag
which says "flash my security badges around".

That fails safe (descriptor passed to another process), and gives a
default behaviour which is non surprising, non leaky and useful for
general purposes. This is also mirroring AF_LOCAL/AF_UNIX where you have
to choose to wave your bits in public.

(again its showing that kdbus really should be done by adding multicast
reliable delivery to AF_LOCAL sockets)

> So I think that one is a real and serious bug. But the other
> complaints seem to be off the mark. It seems quite reasonable to me to
> say that a recipient should be able to distinguish between *root*
> sending it a dbus message to take down the system, and some random
> luser doing the same.

Agreed but there are better ways to do this including opening some
kind of capability object and passing it as proof.

Also do I need to be root when I send the message or root when you ask ...


Alan

to post comments


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds