2d3b65
From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001
2d3b65
From: Simon McVittie <smcv@collabora.com>
2d3b65
Date: Mon, 14 Oct 2019 08:22:24 +0100
2d3b65
Subject: [PATCH] gcredentialsprivate: Document the various private macros
2d3b65
2d3b65
Signed-off-by: Simon McVittie <smcv@collabora.com>
2d3b65
---
2d3b65
 gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++
2d3b65
 1 file changed, 59 insertions(+)
2d3b65
2d3b65
diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h
2d3b65
index 4d1c420a8..06f0aed19 100644
2d3b65
--- a/gio/gcredentialsprivate.h
2d3b65
+++ b/gio/gcredentialsprivate.h
2d3b65
@@ -22,6 +22,65 @@
2d3b65
 #include "gio/gcredentials.h"
2d3b65
 #include "gio/gnetworking.h"
2d3b65
 
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_SUPPORTED:
2d3b65
+ *
2d3b65
+ * Defined to 1 if GCredentials works.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_SUPPORTED
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_USE_LINUX_UCRED, etc.:
2d3b65
+ *
2d3b65
+ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_USE_LINUX_UCRED
2d3b65
+#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED
2d3b65
+#undef G_CREDENTIALS_USE_NETBSD_UNPCBID
2d3b65
+#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED
2d3b65
+#undef G_CREDENTIALS_USE_SOLARIS_UCRED
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_NATIVE_TYPE:
2d3b65
+ *
2d3b65
+ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_NATIVE_TYPE
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_NATIVE_SIZE:
2d3b65
+ *
2d3b65
+ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_NATIVE_SIZE
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED:
2d3b65
+ *
2d3b65
+ * Defined to 1 if we have a message-passing API in which credentials
2d3b65
+ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux
2d3b65
+ * or `SCM_CREDS` on FreeBSD.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED:
2d3b65
+ *
2d3b65
+ * Defined to 1 if we have a `getsockopt()`-style API in which one end of
2d3b65
+ * a socket connection can directly query the credentials of the process
2d3b65
+ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux
2d3b65
+ * or `getpeereid()` on multiple operating systems.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED
2d3b65
+
2d3b65
+/*
2d3b65
+ * G_CREDENTIALS_SPOOFING_SUPPORTED:
2d3b65
+ *
2d3b65
+ * Defined to 1 if privileged processes can spoof their credentials when
2d3b65
+ * using the message-passing API.
2d3b65
+ */
2d3b65
+#undef G_CREDENTIALS_SPOOFING_SUPPORTED
2d3b65
+
2d3b65
 #ifdef __linux__
2d3b65
 #define G_CREDENTIALS_SUPPORTED 1
2d3b65
 #define G_CREDENTIALS_USE_LINUX_UCRED 1
2d3b65
-- 
2d3b65
2.23.0
2d3b65
4200aa
From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001
4200aa
From: Simon McVittie <smcv@collabora.com>
4200aa
Date: Mon, 14 Oct 2019 08:47:39 +0100
4200aa
Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs
4200aa
4200aa
Conceptually, a D-Bus server is really trying to determine the credentials
4200aa
of (the process that initiated) a connection, not the credentials that
4200aa
the process had when it sent a particular message. Ideally, it does
4200aa
this with a getsockopt()-style API that queries the credentials of the
4200aa
connection's initiator without requiring any particular cooperation from
4200aa
that process, avoiding a class of possible failures.
4200aa
4200aa
The leading '\0' in the D-Bus protocol is primarily a workaround
4200aa
for platforms where the message-based credentials-passing API is
4200aa
strictly better than the getsockopt()-style API (for example, on
4200aa
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
4200aa
or where the getsockopt()-style API does not exist at all. As a result
4200aa
libdbus, the reference implementation of D-Bus, does not implement
4200aa
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
4200aa
SO_PEERCRED socket option is equally informative.
4200aa
4200aa
This change makes GDBusServer on Linux more closely match the behaviour
4200aa
of libdbus.
4200aa
4200aa
In particular, GNOME/glib#1831 indicates that when a libdbus client
4200aa
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
4200aa
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
4200aa
most likely a race condition in the early steps to connect:
4200aa
4200aa
        client           server
4200aa
    connect
4200aa
                         accept
4200aa
    send '\0' <- race -> set SO_PASSCRED = 1
4200aa
                         receive '\0'
4200aa
4200aa
If the server wins the race:
4200aa
4200aa
        client           server
4200aa
    connect
4200aa
                         accept
4200aa
                         set SO_PASSCRED = 1
4200aa
    send '\0'
4200aa
                         receive '\0'
4200aa
4200aa
then everything is fine. However, if the client wins the race:
4200aa
4200aa
        client           server
4200aa
    connect
4200aa
                         accept
4200aa
    send '\0'
4200aa
                         set SO_PASSCRED = 1
4200aa
                         receive '\0'
4200aa
4200aa
then the kernel does not record credentials for the message containing
4200aa
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
4200aa
server receives the message, the kernel knows that credentials are
4200aa
desired. I would have expected the kernel to omit the credentials header
4200aa
in this case, but it seems that instead, it synthesizes a credentials
4200aa
structure with a dummy process ID 0, a dummy uid derived from
4200aa
/proc/sys/kernel/overflowuid and a dummy gid derived from
4200aa
/proc/sys/kernel/overflowgid.
4200aa
4200aa
In an unconfigured GDBusServer, hitting this race condition results in
4200aa
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
4200aa
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
4200aa
servers on Unix platforms to allow only EXTERNAL authentication as a
4200aa
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
4200aa
of assumptions including a cryptographically strong PRNG and a shared
4200aa
home directory with no write access by others, which are not necessarily
4200aa
true for all operating systems and users. EXTERNAL authentication will
4200aa
fail if the server cannot determine the client's credentials.
4200aa
4200aa
In particular, this caused a regression when CVE-2019-14822 was fixed
4200aa
in ibus, which appears to be resolved by this commit. Qt clients
4200aa
(which use libdbus) intermittently fail to connect to an ibus server
4200aa
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
4200aa
authentication or non-matching uids.
4200aa
4200aa
Signed-off-by: Simon McVittie <smcv@collabora.com>
4200aa
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
4200aa
---
4200aa
 gio/gcredentialsprivate.h | 18 ++++++++++++++++++
4200aa
 gio/gdbusauth.c           | 27 +++++++++++++++++++++++++--
4200aa
 2 files changed, 43 insertions(+), 2 deletions(-)
4200aa
4200aa
diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h
4200aa
index 06f0aed19..e9ec09b9f 100644
4200aa
--- a/gio/gcredentialsprivate.h
4200aa
+++ b/gio/gcredentialsprivate.h
4200aa
@@ -81,6 +81,18 @@
4200aa
  */
4200aa
 #undef G_CREDENTIALS_SPOOFING_SUPPORTED
4200aa
 
4200aa
+/*
4200aa
+ * G_CREDENTIALS_PREFER_MESSAGE_PASSING:
4200aa
+ *
4200aa
+ * Defined to 1 if the data structure transferred by the message-passing
4200aa
+ * API is strictly more informative than the one transferred by the
4200aa
+ * `getsockopt()`-style API, and hence should be preferred, even for
4200aa
+ * protocols like D-Bus that are defined in terms of the credentials of
4200aa
+ * the (process that opened the) socket, as opposed to the credentials
4200aa
+ * of an individual message.
4200aa
+ */
4200aa
+#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING
4200aa
+
4200aa
 #ifdef __linux__
4200aa
 #define G_CREDENTIALS_SUPPORTED 1
4200aa
 #define G_CREDENTIALS_USE_LINUX_UCRED 1
4200aa
@@ -100,6 +112,12 @@
4200aa
 #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred))
4200aa
 #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1
4200aa
 #define G_CREDENTIALS_SPOOFING_SUPPORTED 1
4200aa
+/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API
4200aa
+ * is getpeereid(), which is not as informative as struct cmsgcred -
4200aa
+ * it does not tell us the PID. As a result, libdbus prefers to use
4200aa
+ * SCM_CREDS, and if we implement getpeereid() in future, we should
4200aa
+ * do the same. */
4200aa
+#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1
4200aa
 
4200aa
 #elif defined(__NetBSD__)
4200aa
 #define G_CREDENTIALS_SUPPORTED 1
4200aa
diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c
4200aa
index 752ec23fc..14cc5d70e 100644
4200aa
--- a/gio/gdbusauth.c
4200aa
+++ b/gio/gdbusauth.c
4200aa
@@ -31,6 +31,7 @@
4200aa
 #include "gdbusutils.h"
4200aa
 #include "gioenumtypes.h"
4200aa
 #include "gcredentials.h"
4200aa
+#include "gcredentialsprivate.h"
4200aa
 #include "gdbusprivate.h"
4200aa
 #include "giostream.h"
4200aa
 #include "gdatainputstream.h"
4200aa
@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth              *auth,
4200aa
 
4200aa
   g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
4200aa
 
4200aa
-  /* first read the NUL-byte */
4200aa
+  /* read the NUL-byte, possibly with credentials attached */
4200aa
 #ifdef G_OS_UNIX
4200aa
-  if (G_IS_UNIX_CONNECTION (auth->priv->stream))
4200aa
+#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING
4200aa
+  if (G_IS_SOCKET_CONNECTION (auth->priv->stream))
4200aa
+    {
4200aa
+      GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream));
4200aa
+
4200aa
+      local_error = NULL;
4200aa
+      credentials = g_socket_get_credentials (sock, &local_error);
4200aa
+
4200aa
+      if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
4200aa
+        {
4200aa
+          g_propagate_error (error, local_error);
4200aa
+          goto out;
4200aa
+        }
4200aa
+      else
4200aa
+        {
4200aa
+          /* Clear the error indicator, so we can retry with
4200aa
+           * g_unix_connection_receive_credentials() if necessary */
4200aa
+          g_clear_error (&local_error);
4200aa
+        }
4200aa
+    }
4200aa
+#endif
4200aa
+
4200aa
+  if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream))
4200aa
     {
4200aa
       local_error = NULL;
4200aa
       credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream),
4200aa
-- 
4200aa
2.23.0
4200aa
4200aa
From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001
4200aa
From: Simon McVittie <smcv@collabora.com>
4200aa
Date: Fri, 18 Oct 2019 10:55:09 +0100
4200aa
Subject: [PATCH] credentials: Invalid Linux struct ucred means "no
4200aa
 information"
4200aa
4200aa
On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one
4200aa
might expect it to fail with an appropriate error like ENOTSUP or
4200aa
EPROTONOSUPPORT. However, it appears that in fact it succeeds, but
4200aa
yields a credentials structure with pid 0, uid -1 and gid -1. These
4200aa
are not real process, user and group IDs that can be allocated to a
4200aa
real process (pid 0 needs to be reserved to give kill(0) its documented
4200aa
special semantics, and similarly uid and gid -1 need to be reserved for
4200aa
setresuid() and setresgid()) so it is not meaningful to signal them to
4200aa
high-level API users.
4200aa
4200aa
An API user with Linux-specific knowledge can still inspect these fields
4200aa
via g_credentials_get_native() if desired.
4200aa
4200aa
Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message
4200aa
on a receiving Unix socket, but the sending socket had not enabled
4200aa
SO_PASSCRED at the time that the message was sent, it is possible
4200aa
for it to succeed but yield a credentials structure with pid 0, uid
4200aa
/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even
4200aa
if we were to read those pseudo-files, we cannot distinguish between
4200aa
the overflow IDs and a real process that legitimately has the same IDs
4200aa
(typically they are set to 'nobody' and 'nogroup', which can be used
4200aa
by a real process), so we detect this situation by noticing that
4200aa
pid == 0, and to save syscalls we do not read the overflow IDs from
4200aa
/proc at all.
4200aa
4200aa
This results in a small API change: g_credentials_is_same_user() now
4200aa
returns FALSE if we compare two credentials structures that are both
4200aa
invalid. This seems like reasonable, conservative behaviour: if we cannot
4200aa
prove that they are the same user, we should assume they are not.
4200aa
4200aa
Signed-off-by: Simon McVittie <smcv@collabora.com>
4200aa
---
4200aa
 gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++---
4200aa
 1 file changed, 39 insertions(+), 3 deletions(-)
4200aa
4200aa
diff --git a/gio/gcredentials.c b/gio/gcredentials.c
4200aa
index c350e3c88..c4794ded7 100644
4200aa
--- a/gio/gcredentials.c
4200aa
+++ b/gio/gcredentials.c
4200aa
@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials)
4200aa
 
4200aa
 /* ---------------------------------------------------------------------------------------------------- */
4200aa
 
4200aa
+#if G_CREDENTIALS_USE_LINUX_UCRED
4200aa
+/*
4200aa
+ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED
4200aa
+ * is used on a TCP socket, it succeeds but yields a credentials structure
4200aa
+ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a
4200aa
+ * receiving Unix socket when the sending socket did not also enable
4200aa
+ * SO_PASSCRED, it can succeed but yield a credentials structure with
4200aa
+ * pid 0, uid /proc/sys/kernel/overflowuid and gid
4200aa
+ * /proc/sys/kernel/overflowgid.
4200aa
+ */
4200aa
+static gboolean
4200aa
+linux_ucred_check_valid (struct ucred  *native,
4200aa
+                         GError       **error)
4200aa
+{
4200aa
+  if (native->pid == 0
4200aa
+      || native->uid == -1
4200aa
+      || native->gid == -1)
4200aa
+    {
4200aa
+      g_set_error_literal (error,
4200aa
+                           G_IO_ERROR,
4200aa
+                           G_IO_ERROR_INVALID_DATA,
4200aa
+                           _("GCredentials contains invalid data"));
4200aa
+      return FALSE;
4200aa
+    }
4200aa
+
4200aa
+  return TRUE;
4200aa
+}
4200aa
+#endif
4200aa
+
4200aa
 /**
4200aa
  * g_credentials_is_same_user:
4200aa
  * @credentials: A #GCredentials.
4200aa
@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials  *credentials,
4200aa
 
4200aa
   ret = FALSE;
4200aa
 #if G_CREDENTIALS_USE_LINUX_UCRED
4200aa
-  if (credentials->native.uid == other_credentials->native.uid)
4200aa
+  if (linux_ucred_check_valid (&credentials->native, NULL)
4200aa
+      && credentials->native.uid == other_credentials->native.uid)
4200aa
     ret = TRUE;
4200aa
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
4200aa
   if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid)
4200aa
@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials    *credentials,
4200aa
   g_return_val_if_fail (error == NULL || *error == NULL, -1);
4200aa
 
4200aa
 #if G_CREDENTIALS_USE_LINUX_UCRED
4200aa
-  ret = credentials->native.uid;
4200aa
+  if (linux_ucred_check_valid (&credentials->native, error))
4200aa
+    ret = credentials->native.uid;
4200aa
+  else
4200aa
+    ret = -1;
4200aa
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
4200aa
   ret = credentials->native.cmcred_euid;
4200aa
 #elif G_CREDENTIALS_USE_NETBSD_UNPCBID
4200aa
@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials    *credentials,
4200aa
   g_return_val_if_fail (error == NULL || *error == NULL, -1);
4200aa
 
4200aa
 #if G_CREDENTIALS_USE_LINUX_UCRED
4200aa
-  ret = credentials->native.pid;
4200aa
+  if (linux_ucred_check_valid (&credentials->native, error))
4200aa
+    ret = credentials->native.pid;
4200aa
+  else
4200aa
+    ret = -1;
4200aa
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
4200aa
   ret = credentials->native.cmcred_pid;
4200aa
 #elif G_CREDENTIALS_USE_NETBSD_UNPCBID
4200aa
-- 
4200aa
2.23.0
4200aa