diff options
author | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-05-12 11:54:50 +0100 |
---|---|---|
committer | Simon McVittie <simon.mcvittie@collabora.co.uk> | 2015-05-12 11:54:50 +0100 |
commit | d9ab8931822999336b84cac0499a12e11c11e298 (patch) | |
tree | 77757008414f64639428af6ed36a787618e0bd15 | |
parent | 77e1b3110a2bbb1a0dc2edba18558fa6026ab4fa (diff) | |
download | dbus-d9ab8931822999336b84cac0499a12e11c11e298.tar.gz |
Security hardening: force EXTERNAL auth in session.conf on Unix
DBUS_COOKIE_SHA1 is dependent on unguessable strings, i.e.
indirectly dependent on high-quality pseudo-random numbers
whereas EXTERNAL authentication (credentials-passing)
is mediated by the kernel and cannot be faked.
On Windows, EXTERNAL authentication is not available,
so we continue to use the hard-coded default (all
authentication mechanisms are tried).
Users of tcp: or nonce-tcp: on Unix will have to comment
this out, but they would have had to use a special
configuration anyway (to set the listening address),
and the tcp: and nonce-tcp: transports are inherently
insecure unless special steps are taken to have them
restricted to a VPN or SSH tunnelling.
Users of obscure Unix platforms (those that trigger
the warning "Socket credentials not supported on this Unix OS"
when compiling dbus-sysdeps-unix.c) might also have to
comment this out, or preferably provide a tested patch
to enable credentials-passing on that OS.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90414
-rw-r--r-- | bus/session.conf.in | 10 | ||||
-rw-r--r-- | cmake/CMakeLists.txt | 4 | ||||
-rw-r--r-- | configure.ac | 7 |
3 files changed, 21 insertions, 0 deletions
diff --git a/bus/session.conf.in b/bus/session.conf.in index cfe9544f..e78c1d33 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -14,6 +14,16 @@ <listen>@DBUS_SESSION_BUS_LISTEN_ADDRESS@</listen> + <!-- On Unix systems, the most secure authentication mechanism is + EXTERNAL, which uses credential-passing over Unix sockets. + + This authentication mechanism is not available on Windows, + is not suitable for use with the tcp: or nonce-tcp: transports, + and will not work on obscure flavours of Unix that do not have + a supported credentials-passing mechanism. On those platforms/transports, + comment out the <auth> element to allow fallback to DBUS_COOKIE_SHA1. --> + @DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL@ + <standard_session_servicedirs /> <policy context="default"> diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt index c767c171..af6e12ff 100644 --- a/cmake/CMakeLists.txt +++ b/cmake/CMakeLists.txt @@ -435,6 +435,7 @@ if (WIN32) set (DBUS_SESSION_CONFIG_FILE "etc/dbus-1/session.conf") # bus-test expects a non empty string set (DBUS_USER "Administrator") + set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<!--<auth>EXTERNAL</auth>-->") else (WIN32) set (DBUS_SESSION_BUS_LISTEN_ADDRESS "unix:tmpdir=${DBUS_SESSION_SOCKET_DIR}" CACHE STRING "session bus default listening address") set (DBUS_SESSION_BUS_CONNECT_ADDRESS "autolaunch:" CACHE STRING "session bus fallback address for clients") @@ -443,6 +444,9 @@ else (WIN32) set (DBUS_SYSTEM_CONFIG_FILE ${configdir}/system.conf) set (DBUS_SESSION_CONFIG_FILE ${configdir}/session.conf) set (DBUS_USER "root") + # For best security, assume that all non-Windows platforms can do + # credentials-passing. + set (DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL "<auth>EXTERNAL</auth>") endif (WIN32) set (DBUS_DAEMON_NAME "dbus-daemon" CACHE STRING "The name of the dbus daemon executable") diff --git a/configure.ac b/configure.ac index dcb60b94..60e1b344 100644 --- a/configure.ac +++ b/configure.ac @@ -122,6 +122,13 @@ if test "$dbus_cygwin" = yes; then AC_DEFINE(DBUS_CYGWIN,1,[Defined if we run on a cygwin API based system]) fi +# For best security, assume that all non-Windows platforms can do +# credentials-passing. +AS_IF([test "$dbus_win" = yes], + [DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<!--<auth>EXTERNAL</auth>-->"], + [DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL="<auth>EXTERNAL</auth>"]) +AC_SUBST([DBUS_SESSION_CONF_MAYBE_AUTH_EXTERNAL]) + AM_CONDITIONAL(DBUS_WIN, test "$dbus_win" = yes) AM_CONDITIONAL(DBUS_WINCE, test "$dbus_wince" = yes) AM_CONDITIONAL(DBUS_UNIX, test "$dbus_unix" = yes) |