From 02e1ddf91e27405c0b88303bb49f5bf5c56306f8 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Tue, 18 Nov 2014 17:34:11 +0000 Subject: Revert "config: change default auth_timeout to 5 seconds" This reverts commit 54d26df52b6a394bea175651d1d7ad2ab3f87dea. It appears this change may cause intermittent slow or failed boot, more commonly on slower/older machines, in at least Mageia and possibly also Debian. This would indicate that while the system is under load, system services are not completing authentication within 5 seconds. This change was not the main part of fixing CVE-2014-3639, but does help to mitigate that attack. As such, increasing this timeout makes the denial of service attack described by CVE-2014-3639 somewhat more effective: a local user connecting to the system bus repeatedly from many parallel processes can cause other users' attempts to connect to take longer. If your machine boots reliably with the shorter timeout, and resilience against local denial of service attacks is important to you, putting this in /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf can restore the lower limit: 5000 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431 --- bus/config-parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bus/config-parser.c b/bus/config-parser.c index 7bc9c019..ee2d4e7d 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -438,7 +438,7 @@ bus_config_parser_new (const DBusString *basedir, * and legitimate auth will fail. If interactive auth (ask user for * password) is allowed, then potentially it has to be quite long. */ - parser->limits.auth_timeout = 5000; /* 5 seconds */ + parser->limits.auth_timeout = 30000; /* 30 seconds */ /* Do not allow a fd to stay forever in dbus-daemon * https://bugs.freedesktop.org/show_bug.cgi?id=80559 -- cgit v1.2.1