[Bug 1666358] Re: iio-sensor-proxy: Insecure configuration of dbus service

Mon, 20 Feb 2017 19:56:30 -0800 

** Description changed:

  The dbus configuration for iio-sensor-proxy allowed any process on the
  system bus to send an org.freedesktop.DBus.Properties.Set() call to any
  other process on the system bus, even if the destination process
  expected to be only accessible by root.
  
  https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2
  
  This was fixed in the upstream version 2.1
  and in Debian's 2.0-4 (which was autosynced to zesty).
- 
- I'll prepare debdiff's containing the Debian fix for xenial and yakkety.
  
  Test Case
  =========
  dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
      --print-reply / org.freedesktop.DBus.Properties.Set string:Foo 
variant:string:bar
  
  Bad response:
  Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
   'org.freedesktop.DBus.Properties' on object at path /
  
  Good response:
- 
  Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 
matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
   comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
   interface="org.freedesktop.DBus.Properties" member="Set" error
   name="(unset)" requested_reply="0"
   destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
   comm="/usr/lib/NetworkManager/nm-dispatcher ")
  
- Testing Done So Far
- ==================
- None
+ Testing Done
+ ============
+ I built the packages in my PPA and installed to Ubuntu GNOME 16.04.2 and 
16.10. The test cases completed successfully after install; no log out required.

** Changed in: iio-sensor-proxy (Ubuntu)
       Status: New => Confirmed

** Changed in: iio-sensor-proxy (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: iio-sensor-proxy (Ubuntu Yakkety)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1666358

Title:
  iio-sensor-proxy: Insecure configuration of dbus service

To manage notifications about this bug go to:
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to