Dbus and security - a few questions
Havoc Pennington
hp at redhat.com
Fri Mar 4 22:54:42 UTC 2005
On Fri, 2005-03-04 at 20:36 +0100, Kyrre Ness Sjobak wrote:
>
> But as this system grows, and more and more apps hook up - what are the
> exploitation risks? Could one f.ex. buffer overflow a privilegued app
> trough the dbus "network"? Which/what kind of services will be turned on
> by default in future fedora installations? Ofcource, having
> NetworkManager running on a shell server would be a problem so
> NetworkManager would probably never be turned on by default, but where
> are the border cases?
There's certainly security here to think about. dbus provides fairly
fine-grained firewall-style functionality, plus the selinux integration,
but in the end a system daemon that takes requests via dbus has to be
written with security in mind. dbus can guarantee that the daemon only
gets messages of type foo with arguments a, b, c of types string, int,
double; but the daemon is responsible for ensuring that it won't crash
if the int is set to INT_MAX or whatever. Basically dbus handles a lot
of the parsing/authentication/connection-establishing sort of issues but
the app still has to validate that data is within expected parameters.
Keep in mind that dbus has two separate running processes, one is the
systemwide used to talk to system daemons, the other is just running as
the user within the user's session like any other app.
Havoc
More information about the fedora-devel-list
mailing list