summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon McVittie <simon.mcvittie@collabora.co.uk>2014-11-18 17:34:11 +0000
committerSimon McVittie <simon.mcvittie@collabora.co.uk>2014-11-22 10:49:21 +0000
commit02e1ddf91e27405c0b88303bb49f5bf5c56306f8 (patch)
tree23775a06eae36db0152a5694f5540cd7bebf175f
parent29c64424d174a20449846479e7eeaa87821d78be (diff)
downloaddbus-02e1ddf91e27405c0b88303bb49f5bf5c56306f8.tar.gz
Revert "config: change default auth_timeout to 5 seconds"
This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea. It appears this change may cause intermittent slow or failed boot, more commonly on slower/older machines, in at least Mageia and possibly also Debian. This would indicate that while the system is under load, system services are not completing authentication within 5 seconds. This change was not the main part of fixing CVE-2014-3639, but does help to mitigate that attack. As such, increasing this timeout makes the denial of service attack described by CVE-2014-3639 somewhat more effective: a local user connecting to the system bus repeatedly from many parallel processes can cause other users' attempts to connect to take longer. If your machine boots reliably with the shorter timeout, and resilience against local denial of service attacks is important to you, putting this in /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf can restore the lower limit: <busconfig> <limit name="auth_timeout">5000</limit> </busconfig> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
-rw-r--r--bus/config-parser.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/bus/config-parser.c b/bus/config-parser.c
index 7bc9c019..ee2d4e7d 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir,
* and legitimate auth will fail. If interactive auth (ask user for
* password) is allowed, then potentially it has to be quite long.
*/
- parser->limits.auth_timeout = 5000; /* 5 seconds */
+ parser->limits.auth_timeout = 30000; /* 30 seconds */
/* Do not allow a fd to stay forever in dbus-daemon
* https://bugs.freedesktop.org/show_bug.cgi?id=80559