Bug#853951: iio-sensor-proxy: configures dbus-daemon to be insecure

Simon McVittie Thu, 02 Feb 2017 05:33:34 -0800

Control: tags -1 + patch upstream

On Thu, 02 Feb 2017 at 12:22:27 +0000, Simon McVittie wrote:
> I'm assuming the intended policy was to put a
> send_destination="net.hadess.SensorProxy" on everythng


See attached - seems to work, but I have no IIO hardware.

Here is a non-weaponized exploit.  You need NetworkManager, which I'm
using because nm_dispatcher is a convenient example of something that
only root is meant to be able to talk to.

Failing test: I can talk to nm_dispatcher as non-root, which I should
not be able to do (but it's harmless in this case because nm_dispatcher
has no properties)

$ dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
    --print-reply / org.freedesktop.DBus.Properties.Set string:Foo 
variant:string:bar
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
 'org.freedesktop.DBus.Properties' on object at path /

Passing test: dbus-daemon stops me

$ dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
    --print-reply / org.freedesktop.DBus.Properties.Set string:Foo 
variant:string:bar
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched
 rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
 comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
 interface="org.freedesktop.DBus.Properties" member="Set" error
 name="(unset)" requested_reply="0"
 destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
 comm="/usr/lib/NetworkManager/nm-dispatcher ")

Regards,
    S

Bug#853951: iio-sensor-proxy: configures dbus-daemon to be insecure

Reply via email to