> > - Access to the capability bits is guarded with PTRACE_MAY_READ > > kdbus does not honor that and thus leaks information. > > Now, this is likely not a real problem. > > Yes, when you try to read other processes capabilities, you need > PTRACE_MAY_READ to see them. HOWEVER, that's not really what a kdbus > message would do - it doesn't "read somebody elses capabilities". When > you do a kdbus write, you export your *own* capabilities. If you don't > want others to know what privileges you have, then you shouldn't be > using kdbus.
That's broken but fixable. It should not share any capability information *unless* you pass a flag which says "flash my security badges around". That fails safe (descriptor passed to another process), and gives a default behaviour which is non surprising, non leaky and useful for general purposes. This is also mirroring AF_LOCAL/AF_UNIX where you have to choose to wave your bits in public. (again its showing that kdbus really should be done by adding multicast reliable delivery to AF_LOCAL sockets) > So I think that one is a real and serious bug. But the other > complaints seem to be off the mark. It seems quite reasonable to me to > say that a recipient should be able to distinguish between *root* > sending it a dbus message to take down the system, and some random > luser doing the same. Agreed but there are better ways to do this including opening some kind of capability object and passing it as proof. Also do I need to be root when I send the message or root when you ask ... Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
