On Thu, Apr 16, 2015 at 10:30 AM, Lennart Poettering <lenn...@poettering.net> wrote: > On Thu, 16.04.15 09:53, Andy Lutomirski (l...@amacapital.net) wrote: > >> > Can you please explain how precisely you think that sd-bus or systemd >> > or the way they use capabilities is exploitable in any way? You keep >> > claiming that, but I never have seen more than vague words about >> > this. > > Again, this question is still open. Can you please explain to me how > you think that sd-bus or systemd's capability code is exploitable? You > are still very vague about this, and claim it was vulnerable, but I > really don't see that. I am still genuinely curious? > >> > b) sd-bus does not use capabalities for authentication on dbus1 >> > >> > c) sd-bus uses the caller's capabilities on kdbus for authenticating >> > message calls. The kernel provides them racefreely in this case and >> > translates them between namespaces if necessary. >> >> The kernel will not provide that unless Linus ignores my NACK on that >> particular point or someone convinces me that (a) there's any reason >> at all to do so and (b) said reason is a damn good reason. So far the >> rather low bar of (a) hasn't been achieved. > > Well, first, please see the the other discussion on LKML, the > CAP_SYS_REBOOT example mentioned there. > > It's easy to construct similar examples, for example for timedated, > where setting the system clock is subject to CAP_SYS_TIME, exactly > like the underlying system call. Using timedated instead of the system > call gives you the benefit of syncing things into RTC and some tohers, > but ultimately it's all about the system clock and should hence be > protected by the same privilege as the actual system call. Protecting > the "unsafe" raw system call with fewer privileges than the "safer" > path through timedated is certainly wrong and the other way round > to. It should really use the same privs!
As Andy said about the CAP_SYS_BOOT usage, they should NOT use the same credential. Setting the raw clock is different from setting the system time through timedated, and should use different credentials. Regards, -- Cameron Norman _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel