Commit Graph

41 Commits

Author SHA1 Message Date
Simon McVittie
ee502dbbe8 GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.

The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.

This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.

In particular,  indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:

        client           server
    connect
                         accept
    send '\0' <- race -> set SO_PASSCRED = 1
                         receive '\0'

If the server wins the race:

        client           server
    connect
                         accept
                         set SO_PASSCRED = 1
    send '\0'
                         receive '\0'

then everything is fine. However, if the client wins the race:

        client           server
    connect
                         accept
    send '\0'
                         set SO_PASSCRED = 1
                         receive '\0'

then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.

In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.

In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-28 19:56:00 +00:00
Ernestas Kulik
566e1d61a5 gdbus: Avoid printing null strings
This mostly affects the 2.56 branch, but, given that GCC 9 is being
stricter about passing null string pointers to printf-like functions, it
might make sense to proactively fix such calls.

gdbusauth.c: In function '_g_dbus_auth_run_server':
gdbusauth.c:1302:11: error: '%s' directive argument is null
[-Werror=format-overflow=]
 1302 |           debug_print ("SERVER: WaitingForBegin, read '%s'",
 line);
       |

gdbusmessage.c: In function ‘g_dbus_message_to_blob’:
gdbusmessage.c:2730:30: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
 2730 |       tupled_signature_str = g_strdup_printf ("(%s)", signature_str);
      |
2019-01-29 11:06:39 +01:00
Руслан Ижбулатов
aab83f7475 gdbus: make hexencode() a shared function to avoid duplication
https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Руслан Ижбулатов
249330c388 gdbus: pass string length to hexencode()
This is necessary for it to be able to encode strings
with embedded NUL characters.

https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Руслан Ижбулатов
f7c0ff773e gdbus: actually return string length from hexdecode()
https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Daniel Macks
190f64a0fb Avoid setting unused variables (-Wself-assign)
Setting a variable and then assigning it to itself avoids
-Wunused-but-set-variable but this specific trick is now caught by
-Wself-assign. Instead, actually use the value or don't bother
assigning it at all:

gdbusauth.c: call g_data_input_stream_read_byte() in void context
gdbusauthmechanismsha1.c: value is actually used
gdbusmessage.c: use consistent preprocessor-token protection
gthreadedresolver.c: skip over bytes in data blob
httpd.c: do something useful with the value

https://bugzilla.gnome.org/show_bug.cgi?id=745723
2017-09-11 22:14:18 +01:00
Sébastien Wilmet
3bf4a720c3 gio/: LGPLv2+ -> LGPLv2.1+
Sub-directories inside gio/ already processed in a previous commit:
- fam/
- gdbus-2.0/ (which contains only codegen/)
- gvdb/
- inotify/
- tests/
- win32/
- xdgmime/

Other sub-directories inside gio/:
- completion/: no license headers
- kqueue/: not LGPL, BSD-style license

https://bugzilla.gnome.org/show_bug.cgi?id=776504
2017-05-29 19:53:34 +02:00
Ole André Vadla Ravnås
8693d60a28 gdbusauth: plug memory leak
Happens when the waiting-for-auth state is re-entered:

SERVER_STATE_WAITING_FOR_AUTH
  |
  v
G_DBUS_AUTH_MECHANISM_STATE_REJECTED
  |
  v
SERVER_STATE_WAITING_FOR_AUTH

Causing the previous `mech` pointer to get overwritten.

https://bugzilla.gnome.org/show_bug.cgi?id=778991
2017-02-21 10:31:03 +00:00
Ignacio Casal Quinteiro
463a863605 gdbusauth: fix crash when server data send returns NULL
_g_dbus_auth_mechanism_server_data_send may fail in which case
we would endup getting a NULL data. In this case we should not
try to encode the data and simply let the state machine to continue.
The auth mechanism will change internally to REJECTED so we just
need to continue the iteration.

https://bugzilla.gnome.org/show_bug.cgi?id=775309
2016-11-29 13:12:47 +01:00
Ismo Puustinen
9864c8abf5 gio: properly free memory, preventing leak and illegal access.
https://bugzilla.gnome.org/show_bug.cgi?id=753231
2016-07-16 23:24:39 -04:00
Daniel Mustieles
078dbda148 Updated FSF's address 2014-01-31 14:31:55 +01:00
Emmanuele Bassi
54cc43630d Rename the generated private data getter function
As it turns out, we have examples of internal functions called
type_name_get_private() in the wild (especially among older libraries),
so we need to use a name for the per-instance private data getter
function that hopefully won't conflict with anything.
2013-06-24 15:43:04 +01:00
Emmanuele Bassi
32747def4b gio: Use the new private instance data declaration
Use the newly added macros, and remove the explicit calls to
g_type_class_add_private().

https://bugzilla.gnome.org/show_bug.cgi?id=700035
2013-06-24 14:18:01 +01:00
Dan Winship
4b94c0831e Use 'dumb quotes' rather than `really dumb quotes'
Back in the far-off twentieth century, it was normal on unix
workstations for U+0060 GRAVE ACCENT to be drawn as "‛" and for U+0027
APOSTROPHE to be drawn as "’". This led to the convention of using
them as poor-man's ‛smart quotes’ in ASCII-only text.

However, "'" is now universally drawn as a vertical line, and "`" at a
45-degree angle, making them an `odd couple' when used together.

Unfortunately, there are lots of very old strings in glib, and also
lots of new strings in which people have kept up the old tradition,
perhaps entirely unaware that it used to not look stupid.

Fix this by just using 'dumb quotes' everywhere.

https://bugzilla.gnome.org/show_bug.cgi?id=700746
2013-05-21 11:23:22 -03:00
Henrique Dante de Almeida
c219181cb2 Add G_GNUC_PRINTF on all functions with format strings
This allows compilation with clang without errors, even when
-Wformat-nonliteral is active (as long as there are no real cases of
non literal formatting).

https://bugzilla.gnome.org/show_bug.cgi?id=691608
2013-01-13 12:32:40 -05:00
Dan Winship
b377e69685 Add gnetworking.h
Install a public "gnetworking.h" header that can be used to include
the relevant OS-dependent networking headers. This does not really
abstract away unix-vs-windows however; error codes, in particular,
are incompatible.

gnetworkingprivate.h now contains just a few internal URI-related
functions

Also add a g_networking_init() function to gnetworking.h, which can be
used to explicitly initialize OS-level networking, rather than having
that happen as a side-effect of registering GInetAddress.

https://bugzilla.gnome.org/show_bug.cgi?id=623187
2012-12-12 15:20:22 +01:00
Dan Winship
b8c13a01b6 win32: misc warning fixes
https://bugzilla.gnome.org/show_bug.cgi?id=688109
2012-11-15 14:19:06 -05:00
David Zeuthen
6a9341d851 GDBusAuth: Handle when no there is no auth observer present
I obviously fucked up when adding the ::allow-mechanism signal, sorry.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2012-04-14 12:40:57 -04:00
David Zeuthen
ce81bd87c5 GDBusAuthObserver: Add a way to control what authentication mechanisms to use
This is related to https://bugzilla.gnome.org/show_bug.cgi?id=673943
but also useful in a lot of other contexts.
2012-04-14 11:52:20 -04:00
Javier Jardón
928d2cea61 gio/*: Use g_list_free_full() convenience function 2012-01-03 16:53:47 +01:00
Antoine Jacoutot
77f4f5aa02 Add glib credentials support to OpenBSD.
https://bugzilla.gnome.org/show_bug.cgi?id=650885
2011-05-27 14:22:56 -04:00
David Zeuthen
e38ef14e8b GDBus: If an authentication method fail, don't give up, just try the next one
This problem was reported in bug 647602.

https://bugzilla.gnome.org/show_bug.cgi?id=647602

Signed-off-by: David Zeuthen <davidz@redhat.com>
2011-04-13 18:40:47 -04:00
David Zeuthen
0729260141 Silence a bunch of -Wunused-but-set-variable warnings
Signed-off-by: David Zeuthen <davidz@redhat.com>
2011-04-08 15:44:25 -04:00
Christian Dywan
ad363d9aac Initialise lengths in GDbusAuth to silence warnings 2010-10-08 16:33:04 +02:00
Christian Persch
6879256f36 Plug a mem leak
==6793== 16 bytes in 1 blocks are definitely lost in loss record 632 of 1,423
==6793==    at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==6793==    by 0x4057094: g_malloc (gmem.c:134)
==6793==    by 0x417FC29: g_data_input_stream_read_line (gdatainputstream.c:797)
==6793==    by 0x41F99C1: _my_g_data_input_stream_read_line (gdbusauth.c:279)
==6793==    by 0x41FA728: _g_dbus_auth_run_client (gdbusauth.c:759)

Bug .
2010-08-30 10:14:39 -04:00
Ryan Lortie
5b946e0504 gio/: fully remove gioalias hacks 2010-07-07 19:53:22 -04:00
David Zeuthen
1ca6a4687a GDBus: Hold lock when printing debug messages
Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-02 09:40:59 -04:00
David Zeuthen
c29ad23928 GDBus: make G_DBUS_DEBUG=authentication work again
This was inadvertently removed in this commit

http://git.gnome.org/browse/glib/commit/?id=1d22b64843c83631bcd0e5255930f3a4e990961e

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-07-02 09:35:13 -04:00
David Zeuthen
21d7ce97c3 GDBus: plug some memory leaks
These fixes makes udisks-daemon from udisks' gdbus-port branch, see

 http://cgit.freedesktop.org/udisks/log/?h=gdbus-port

handle 200 add/remove uevents generated by e.g.

 #!/bin/bash
 DEV=mmcblk0p1
 for n in `seq 200` ; do
     udevadm trigger --sysname-match=$DEV --action=remove
     udevadm trigger --sysname-match=$DEV --action=add
     echo foo $n
 done

without any substantial leaks.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-06-30 16:39:32 -04:00
David Zeuthen
366b3ffcde Bug 619142 – Build fixes
- Fix various #include issues

 - Change #error to #warning for the EXTERNAL authentication mechanism.
   It is not clear if this should work on Win32 at all.

 - Call close() before unlink() for the SHA1 keyring

 - Change #error to #warning so we don't forget to do
   permission checking of the .dbus-keyrings directory

 - Use Win32 SID for the SHA1 auth mech

 - Apparently we can't use word 'interface' as an identifier

 - Implement a _g_dbus_win32_get_user_sid() function. For now it's
   private. Don't know if it should be public somewhere. Maybe in
   a future GCredentials support for Win32? I don't know.

 - GFileDescriptorBased is not available on Win32. So avoid using
   it in GLocalFile stuff. Now, Win32 still uses GLocalFile + friends
   (which works with file descriptors) so expose a private function
   to get the fd for an OutputStream so things still work.

 - Fixup gio.symbols

 - Fixup tests/gdbus-peer.c so it builds

With this, at least things compile and the gdbus-peer.exe test case
passes. Which is a great start. I've tested this by cross-compiling on
a x86_64 Fedora 13 host using mingw32 and running the code on a 32-bit
Windows 7 box.

https://bugzilla.gnome.org/show_bug.cgi?id=619142

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-20 10:53:08 -04:00
Christian Persch
60c53fef47 Plug a mem leak in gdbusauth
From valgrind running gdbus-peer test:

==20513== 32 bytes in 1 blocks are definitely lost in loss record 1 of 15
==20513==    at 0x4024E4C: realloc (vg_replace_malloc.c:429)
==20513==    by 0x4079BB1: g_realloc (gmem.c:174)
==20513==    by 0x4099472: g_string_maybe_expand (gstring.c:396)
==20513==    by 0x409A42A: g_string_insert_c (gstring.c:1050)
==20513==    by 0x42169AC: g_string_append_c_inline (gstring.h:153)
==20513==    by 0x421682C: _my_g_input_stream_read_line_safe (gdbusauth.c:336)
==20513==    by 0x421843E: _g_dbus_auth_run_server (gdbusauth.c:1265)
==20513==    by 0x4222B94: initable_init (gdbusconnection.c:1783)
==20513==    by 0x41CF8D5: g_initable_init (ginitable.c:106)
==20513==    by 0x41CFA8D: g_initable_new_valist (ginitable.c:219)
==20513==    by 0x41CF920: g_initable_new (ginitable.c:139)
==20513==    by 0x4223479: g_dbus_connection_new_sync (gdbusconnection.c:2046)

Bug .
2010-05-15 00:12:18 +02:00
Matthias Clasen
1d22b64843 Cleanups
Sort #includes a bit better, and don't include platform-specific
headers in gio.h.
2010-05-14 08:38:07 -04:00
David Zeuthen
cb753dfd49 GDBus: Rename ::deny-authentication-peer to ::authorize-authenticated-peer 2010-05-13 16:20:31 -04:00
Matthias Clasen
9e90b381f5 Remove the credentials argument from g_unix_connect_send_credentials()
Instead, make it always send the current credentials.
2010-05-13 14:29:39 -04:00
Matthias Clasen
25a8aa5d88 Cosmetic fixes
Use P_() for properties, fix up indentation, etc.
2010-05-09 22:13:18 -04:00
Matthias Clasen
0cf467c2ca Update copyright years to include 2010 2010-05-09 13:14:55 -04:00
David Zeuthen
c148cafdd1 GDBus: Rework GCredentials type
These changes are is related to

 https://bugzilla.gnome.org/show_bug.cgi?id=617483

and IRC discussions with danw.
2010-05-09 10:03:56 -04:00
David Zeuthen
46ce134d51 GDBus: Add new symbols to gio.symbols 2010-05-06 17:31:51 -04:00
David Zeuthen
fb1b4599a0 GDBus: Fix up i18n 2010-05-06 16:34:23 -04:00
David Zeuthen
c490c14f4e Set up gtk-doc for GDBus
Also move send_credentials() and receive_credentials() to
GUnixConnection. This code might change, discussion is still ongoing
in

 https://bugzilla.gnome.org/show_bug.cgi?id=617483.
2010-05-06 15:31:45 -04:00
David Zeuthen
d0a14469d0 Initial GDBus code-drop from GDBus-standalone repo
Things compile and the test-suite passes. Still need to hook up
gio.symbols and docs. There are still a bunch of TODOs left in the
sources that needs to be addressed.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-06 14:21:32 -04:00