[MacPorts] #52257: dbus: enhancements to use privileged services via the system bus and run a session bus over a remote X11 connection
MacPorts
noreply at macports.org
Thu Sep 22 01:08:22 CEST 2016
#52257: dbus: enhancements to use privileged services via the system bus and run a
session bus over a remote X11 connection
--------------------------+------------------------
Reporter: rjvbertin@… | Owner: mcalhoun@…
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: dbus |
--------------------------+------------------------
Comment (by rjvbertin@…):
For now the discussion has been on the dbus mailing list.
Just FYI: the patch doesn't change anything to the underlying mechanism,
and is indeed secure in the sense that an authorisation procedure must be
completed before the setuid helper is used to execute a well-defined,
privileged service (and only that service). Without an authorisation
mechanism (provided by the KF5 KAuth framework and based on Apple's
Security framework *plus* root-owned files in
${prefix}/etc/dbus-1/system.d the setuid helper is simply never called.
The patch changes a few detail during the initialisation of the privileged
service executable, which expects to connect to the system dbus. The init
code tries to obtain the addresses (sockets) of 3 different bus types
(session, system and "master"). The privileged helper exec runs in a
tightly controlled environment, containing only the system bus address;
- on Linux, the init routines will thus set the other addresses to
"autolaunch", meaning that a daemon will be launched for them if and when
required. In practice that will not happen in this particular situation.
- on OS X the init routines only consider(ed) a session bus launched via
launchd and a system bus using a hardcoded socket path. That means that
for the privileged service exec, the session and master bus addresses are
not set to "autolaunch" but remain empty. The unpatched code will raise an
early error in that case, at a point where it doesn't even know which bus
is going to be used. My patch simply uses the fact that autolaunch isn't
required in this scenario; the initial set-up will succeed if the
requested bus address is known because for the 2 irrelevant bus addresses
it doesn't matter if they equal autolaunch or NULL.
As to "running our own setuid daemon": that's *not* the correct wording.
The dbus daemon doesn't run as root; even the system bus daemon runs as
the `messagebus` user, which isn't even in the admin group. There's a
setuid *helper*, just like port:policykit provides. That helper can only
be executed by root and by the `messagebus` user, and requires a service
ID as argument ... which will be rejected if called without authorisation:
{{{
> sudo qdbus --system org.kde.ksysguard.processlisthelper
Error: org.freedesktop.DBus.Error.AccessDenied
Rejected send message, 1 matched rules; type="method_call", sender=":1.33"
(uid=0) interface="org.freedesktop.DBus.Introspectable"
member="Introspect" error name="(unset)" requested_reply="0"
destination="org.kde.ksysguard.processlisthelper" (uid=0)
}}}
FWIW, Apple's Security API docs also describe a setuid helper as on of the
possible means to perform privileged operations after obtaining
authorisation.
--
Ticket URL: <https://trac.macports.org/ticket/52257#comment:6>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list