Hello, On Mon, Dec 30, 2024 at 3:36 AM Diego Nieto Cid <dnie...@gmail.com> wrote: > > On Sun, Dec 29, 2024 at 11:33:47PM +0100, Samuel Thibault wrote: > > Hello, > > > > Diego Nieto Cid, le dim. 29 déc. 2024 22:14:40 +0000, a ecrit: > > > (ibus-daemon:17123): GLib-GIO-WARNING **: 20:49:29.230: Expected a > > > credentials > > > struct of 84 bytes but got 88 bytes of data > > > > > > which I traced to the GIO function g_unix_credentials_message_deserialize > > > (which > > > can be seen here[1]). > > > [1] > > > https://gitlab.gnome.org/GNOME/glib/-/blob/main/gio/gunixcredentialsmessage.c?ref_type=heads#L115 > > > > > > It seems to be some structure size issue on amd64 (i386 tests don't fail) > > > regarding > > > SCM_CREDS implementation. > > > > See the error test, it's about G_CREDENTIALS_NATIVE_SIZE, see its > > definition: > > > > #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred)) > > > > And the definition of struct cmsgcred in bits/socket.h
This feels like an opportunity to remind everyone that the SCM_CREDS implementation, which is shipped as a Debian downstream patch, doesn't actually verify the credentials. I have posted a more detailed description [0] back in Feb 2023, and still got no response. So: ping? [0]: https://mail.gnu.org/archive/html/bug-hurd/2023-02/msg00054.html I have also written a PoC exploit for this, which authenticates itself to the D-Bus daemon as UID 0, even though it's not. Sergey
