Re: Issues with capability bits and meta-data in kdbus

From: One Thousand Gnomes
Date: Wed Apr 22 2015 - 06:46:45 EST


> > - Access to the capability bits is guarded with PTRACE_MAY_READ
> > kdbus does not honor that and thus leaks information.
>
> Now, this is likely not a real problem.
>
> Yes, when you try to read other processes capabilities, you need
> PTRACE_MAY_READ to see them. HOWEVER, that's not really what a kdbus
> message would do - it doesn't "read somebody elses capabilities". When
> you do a kdbus write, you export your *own* capabilities. If you don't
> want others to know what privileges you have, then you shouldn't be
> using kdbus.

That's broken but fixable.

It should not share any capability information *unless* you pass a flag
which says "flash my security badges around".

That fails safe (descriptor passed to another process), and gives a
default behaviour which is non surprising, non leaky and useful for
general purposes. This is also mirroring AF_LOCAL/AF_UNIX where you have
to choose to wave your bits in public.

(again its showing that kdbus really should be done by adding multicast
reliable delivery to AF_LOCAL sockets)

> So I think that one is a real and serious bug. But the other
> complaints seem to be off the mark. It seems quite reasonable to me to
> say that a recipient should be able to distinguish between *root*
> sending it a dbus message to take down the system, and some random
> luser doing the same.

Agreed but there are better ways to do this including opening some
kind of capability object and passing it as proof.

Also do I need to be root when I send the message or root when you ask ...


Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/