--- /dev/null
+From 3d442dbf936d197aa11ca0a71663c2bc61696151 Mon Sep 17 00:00:00 2001
+From: fujiwarat <takao.fujiwara1@gmail.com>
+Date: Fri, 13 Sep 2019 15:59:03 +0900
+Subject: [PATCH] bus: Implement GDBusAuthObserver callback
+
+ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS,
+and doesn't set a GDBusAuthObserver, which allows anyone who can connect
+to its AF_UNIX socket to authenticate and be authorized to send method calls.
+It also seems to use an abstract AF_UNIX socket, which does not have
+filesystem permissions, so the practical effect might be that a local
+attacker can connect to another user's ibus service and make arbitrary
+method calls.
+
+BUGS=rhbz#1717958
+---
+ bus/server.c | 89 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/bus/server.c b/bus/server.c
+index 3a626230..2439de14 100644
+--- a/bus/server.c
++++ b/bus/server.c
+@@ -2,7 +2,8 @@
+ /* vim:set et sts=4: */
+ /* bus - The Input Bus
+ * Copyright (C) 2008-2010 Peng Huang <shawn.p.huang@gmail.com>
+- * Copyright (C) 2008-2010 Red Hat, Inc.
++ * Copyright (C) 2011-2019 Takao Fujiwara <takao.fujiwara1@gmail.com>
++ * Copyright (C) 2008-2019 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+@@ -69,17 +70,64 @@ _restart_server (void)
+ exit (-1);
+ }
+
++/**
++ * bus_allow_mechanism_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @mechanism: The name of the mechanism.
++ * @user_data: always %NULL.
++ *
++ * Check if @mechanism can be used to authenticate the other peer.
++ * Returns: %TRUE if the peer's mechanism is allowed.
++ */
++static gboolean
++bus_allow_mechanism_cb (GDBusAuthObserver *observer,
++ const gchar *mechanism,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++ return TRUE;
++ return FALSE;
++}
++
++/**
++ * bus_authorize_authenticated_peer_cb:
++ * @observer: A #GDBusAuthObserver.
++ * @stream: A #GIOStream.
++ * @credentials: A #GCredentials.
++ * @user_data: always %NULL.
++ *
++ * Check if a peer who has already authenticated should be authorized.
++ * Returns: %TRUE if the peer's credential is authorized.
++ */
++static gboolean
++bus_authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++ GIOStream *stream,
++ GCredentials *credentials,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ gboolean authorized = FALSE;
++ if (credentials) {
++ GCredentials *own_credentials = g_credentials_new ();
++ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++ authorized = TRUE;
++ g_object_unref (own_credentials);
++ }
++ return authorized;
++}
++
+ /**
+ * bus_new_connection_cb:
+- * @user_data: always NULL.
+- * @returns: TRUE when the function can handle the connection.
++ * @observer: A #GDBusAuthObserver.
++ * @dbus_connection: A #GDBusconnection.
++ * @user_data: always %NULL.
+ *
+ * Handle incoming connections.
++ * Returns: %TRUE when the function can handle the connection.
+ */
+ static gboolean
+-bus_new_connection_cb (GDBusServer *server,
+- GDBusConnection *dbus_connection,
+- gpointer user_data)
++bus_new_connection_cb (GDBusServer *server,
++ GDBusConnection *dbus_connection,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ BusConnection *connection = bus_connection_new (dbus_connection);
+ bus_dbus_impl_new_connection (dbus, connection);
+@@ -94,9 +142,9 @@ bus_new_connection_cb (GDBusServer *server,
+ }
+
+ static void
+-_server_connect_start_portal_cb (GObject *source_object,
+- GAsyncResult *res,
+- gpointer user_data)
++_server_connect_start_portal_cb (GObject *source_object,
++ GAsyncResult *res,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ GVariant *result;
+ GError *error = NULL;
+@@ -113,9 +161,9 @@ _server_connect_start_portal_cb (GObject *source_object,
+ }
+
+ static void
+-bus_acquired_handler (GDBusConnection *connection,
+- const gchar *name,
+- gpointer user_data)
++bus_acquired_handler (GDBusConnection *connection,
++ const gchar *name,
++ G_GNUC_UNUSED gpointer user_data)
+ {
+ g_dbus_connection_call (connection,
+ IBUS_SERVICE_PORTAL,
+@@ -136,14 +184,17 @@ void
+ bus_server_init (void)
+ {
+ GError *error = NULL;
++ GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_NONE;
++ gchar *guid;
++ GDBusAuthObserver *observer;
+
+ dbus = bus_dbus_impl_get_default ();
+ ibus = bus_ibus_impl_get_default ();
+ bus_dbus_impl_register_object (dbus, (IBusService *)ibus);
+
+ /* init server */
+- GDBusServerFlags flags = G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
+- gchar *guid = g_dbus_generate_guid ();
++ guid = g_dbus_generate_guid ();
++ observer = g_dbus_auth_observer_new ();
+ if (!g_str_has_prefix (g_address, "unix:tmpdir=") &&
+ !g_str_has_prefix (g_address, "unix:path=")) {
+ g_error ("Your socket address does not have the format unix:tmpdir=$DIR "
+@@ -152,7 +203,7 @@ bus_server_init (void)
+ server = g_dbus_server_new_sync (
+ g_address, /* the place where the socket file lives, e.g. /tmp, abstract namespace, etc. */
+ flags, guid,
+- NULL /* observer */,
++ observer,
+ NULL /* cancellable */,
+ &error);
+ if (server == NULL) {
+@@ -162,7 +213,13 @@ bus_server_init (void)
+ }
+ g_free (guid);
+
+- g_signal_connect (server, "new-connection", G_CALLBACK (bus_new_connection_cb), NULL);
++ g_signal_connect (observer, "allow-mechanism",
++ G_CALLBACK (bus_allow_mechanism_cb), NULL);
++ g_signal_connect (observer, "authorize-authenticated-peer",
++ G_CALLBACK (bus_authorize_authenticated_peer_cb), NULL);
++ g_object_unref (observer);
++ g_signal_connect (server, "new-connection",
++ G_CALLBACK (bus_new_connection_cb), NULL);
+
+ g_dbus_server_start (server);
+
+--
+2.24.0
+
projects / gentoo.git / commitdiff