681ac7
From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001
681ac7
From: Simon McVittie <smcv@collabora.com>
681ac7
Date: Mon, 14 Oct 2019 08:22:24 +0100
681ac7
Subject: [PATCH] gcredentialsprivate: Document the various private macros
681ac7
681ac7
Signed-off-by: Simon McVittie <smcv@collabora.com>
681ac7
---
681ac7
 gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++
681ac7
 1 file changed, 59 insertions(+)
681ac7
681ac7
diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h
681ac7
index 4d1c420a8..06f0aed19 100644
681ac7
--- a/gio/gcredentialsprivate.h
681ac7
+++ b/gio/gcredentialsprivate.h
681ac7
@@ -22,6 +22,65 @@
681ac7
 #include "gio/gcredentials.h"
681ac7
 #include "gio/gnetworking.h"
681ac7
 
681ac7
+/*
681ac7
+ * G_CREDENTIALS_SUPPORTED:
681ac7
+ *
681ac7
+ * Defined to 1 if GCredentials works.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_SUPPORTED
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_USE_LINUX_UCRED, etc.:
681ac7
+ *
681ac7
+ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_USE_LINUX_UCRED
681ac7
+#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED
681ac7
+#undef G_CREDENTIALS_USE_NETBSD_UNPCBID
681ac7
+#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED
681ac7
+#undef G_CREDENTIALS_USE_SOLARIS_UCRED
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_NATIVE_TYPE:
681ac7
+ *
681ac7
+ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_NATIVE_TYPE
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_NATIVE_SIZE:
681ac7
+ *
681ac7
+ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_NATIVE_SIZE
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED:
681ac7
+ *
681ac7
+ * Defined to 1 if we have a message-passing API in which credentials
681ac7
+ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux
681ac7
+ * or `SCM_CREDS` on FreeBSD.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED:
681ac7
+ *
681ac7
+ * Defined to 1 if we have a `getsockopt()`-style API in which one end of
681ac7
+ * a socket connection can directly query the credentials of the process
681ac7
+ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux
681ac7
+ * or `getpeereid()` on multiple operating systems.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED
681ac7
+
681ac7
+/*
681ac7
+ * G_CREDENTIALS_SPOOFING_SUPPORTED:
681ac7
+ *
681ac7
+ * Defined to 1 if privileged processes can spoof their credentials when
681ac7
+ * using the message-passing API.
681ac7
+ */
681ac7
+#undef G_CREDENTIALS_SPOOFING_SUPPORTED
681ac7
+
681ac7
 #ifdef __linux__
681ac7
 #define G_CREDENTIALS_SUPPORTED 1
681ac7
 #define G_CREDENTIALS_USE_LINUX_UCRED 1
681ac7
-- 
681ac7
2.23.0
681ac7
6fcf6b
From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001
6fcf6b
From: Simon McVittie <smcv@collabora.com>
6fcf6b
Date: Mon, 14 Oct 2019 08:47:39 +0100
6fcf6b
Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs
6fcf6b
6fcf6b
Conceptually, a D-Bus server is really trying to determine the credentials
6fcf6b
of (the process that initiated) a connection, not the credentials that
6fcf6b
the process had when it sent a particular message. Ideally, it does
6fcf6b
this with a getsockopt()-style API that queries the credentials of the
6fcf6b
connection's initiator without requiring any particular cooperation from
6fcf6b
that process, avoiding a class of possible failures.
6fcf6b
6fcf6b
The leading '\0' in the D-Bus protocol is primarily a workaround
6fcf6b
for platforms where the message-based credentials-passing API is
6fcf6b
strictly better than the getsockopt()-style API (for example, on
6fcf6b
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
6fcf6b
or where the getsockopt()-style API does not exist at all. As a result
6fcf6b
libdbus, the reference implementation of D-Bus, does not implement
6fcf6b
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
6fcf6b
SO_PEERCRED socket option is equally informative.
6fcf6b
6fcf6b
This change makes GDBusServer on Linux more closely match the behaviour
6fcf6b
of libdbus.
6fcf6b
6fcf6b
In particular, GNOME/glib#1831 indicates that when a libdbus client
6fcf6b
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
6fcf6b
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
6fcf6b
most likely a race condition in the early steps to connect:
6fcf6b
6fcf6b
        client           server
6fcf6b
    connect
6fcf6b
                         accept
6fcf6b
    send '\0' <- race -> set SO_PASSCRED = 1
6fcf6b
                         receive '\0'
6fcf6b
6fcf6b
If the server wins the race:
6fcf6b
6fcf6b
        client           server
6fcf6b
    connect
6fcf6b
                         accept
6fcf6b
                         set SO_PASSCRED = 1
6fcf6b
    send '\0'
6fcf6b
                         receive '\0'
6fcf6b
6fcf6b
then everything is fine. However, if the client wins the race:
6fcf6b
6fcf6b
        client           server
6fcf6b
    connect
6fcf6b
                         accept
6fcf6b
    send '\0'
6fcf6b
                         set SO_PASSCRED = 1
6fcf6b
                         receive '\0'
6fcf6b
6fcf6b
then the kernel does not record credentials for the message containing
6fcf6b
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
6fcf6b
server receives the message, the kernel knows that credentials are
6fcf6b
desired. I would have expected the kernel to omit the credentials header
6fcf6b
in this case, but it seems that instead, it synthesizes a credentials
6fcf6b
structure with a dummy process ID 0, a dummy uid derived from
6fcf6b
/proc/sys/kernel/overflowuid and a dummy gid derived from
6fcf6b
/proc/sys/kernel/overflowgid.
6fcf6b
6fcf6b
In an unconfigured GDBusServer, hitting this race condition results in
6fcf6b
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
6fcf6b
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
6fcf6b
servers on Unix platforms to allow only EXTERNAL authentication as a
6fcf6b
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
6fcf6b
of assumptions including a cryptographically strong PRNG and a shared
6fcf6b
home directory with no write access by others, which are not necessarily
6fcf6b
true for all operating systems and users. EXTERNAL authentication will
6fcf6b
fail if the server cannot determine the client's credentials.
6fcf6b
6fcf6b
In particular, this caused a regression when CVE-2019-14822 was fixed
6fcf6b
in ibus, which appears to be resolved by this commit. Qt clients
6fcf6b
(which use libdbus) intermittently fail to connect to an ibus server
6fcf6b
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
6fcf6b
authentication or non-matching uids.
6fcf6b
6fcf6b
Signed-off-by: Simon McVittie <smcv@collabora.com>
6fcf6b
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
6fcf6b
---
6fcf6b
 gio/gcredentialsprivate.h | 18 ++++++++++++++++++
6fcf6b
 gio/gdbusauth.c           | 27 +++++++++++++++++++++++++--
6fcf6b
 2 files changed, 43 insertions(+), 2 deletions(-)
6fcf6b
6fcf6b
diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h
6fcf6b
index 06f0aed19..e9ec09b9f 100644
6fcf6b
--- a/gio/gcredentialsprivate.h
6fcf6b
+++ b/gio/gcredentialsprivate.h
6fcf6b
@@ -81,6 +81,18 @@
6fcf6b
  */
6fcf6b
 #undef G_CREDENTIALS_SPOOFING_SUPPORTED
6fcf6b
 
6fcf6b
+/*
6fcf6b
+ * G_CREDENTIALS_PREFER_MESSAGE_PASSING:
6fcf6b
+ *
6fcf6b
+ * Defined to 1 if the data structure transferred by the message-passing
6fcf6b
+ * API is strictly more informative than the one transferred by the
6fcf6b
+ * `getsockopt()`-style API, and hence should be preferred, even for
6fcf6b
+ * protocols like D-Bus that are defined in terms of the credentials of
6fcf6b
+ * the (process that opened the) socket, as opposed to the credentials
6fcf6b
+ * of an individual message.
6fcf6b
+ */
6fcf6b
+#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING
6fcf6b
+
6fcf6b
 #ifdef __linux__
6fcf6b
 #define G_CREDENTIALS_SUPPORTED 1
6fcf6b
 #define G_CREDENTIALS_USE_LINUX_UCRED 1
6fcf6b
@@ -100,6 +112,12 @@
6fcf6b
 #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred))
6fcf6b
 #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1
6fcf6b
 #define G_CREDENTIALS_SPOOFING_SUPPORTED 1
6fcf6b
+/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API
6fcf6b
+ * is getpeereid(), which is not as informative as struct cmsgcred -
6fcf6b
+ * it does not tell us the PID. As a result, libdbus prefers to use
6fcf6b
+ * SCM_CREDS, and if we implement getpeereid() in future, we should
6fcf6b
+ * do the same. */
6fcf6b
+#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1
6fcf6b
 
6fcf6b
 #elif defined(__NetBSD__)
6fcf6b
 #define G_CREDENTIALS_SUPPORTED 1
6fcf6b
diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c
6fcf6b
index 752ec23fc..14cc5d70e 100644
6fcf6b
--- a/gio/gdbusauth.c
6fcf6b
+++ b/gio/gdbusauth.c
6fcf6b
@@ -31,6 +31,7 @@
6fcf6b
 #include "gdbusutils.h"
6fcf6b
 #include "gioenumtypes.h"
6fcf6b
 #include "gcredentials.h"
6fcf6b
+#include "gcredentialsprivate.h"
6fcf6b
 #include "gdbusprivate.h"
6fcf6b
 #include "giostream.h"
6fcf6b
 #include "gdatainputstream.h"
6fcf6b
@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth              *auth,
6fcf6b
 
6fcf6b
   g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF);
6fcf6b
 
6fcf6b
-  /* first read the NUL-byte */
6fcf6b
+  /* read the NUL-byte, possibly with credentials attached */
6fcf6b
 #ifdef G_OS_UNIX
6fcf6b
-  if (G_IS_UNIX_CONNECTION (auth->priv->stream))
6fcf6b
+#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING
6fcf6b
+  if (G_IS_SOCKET_CONNECTION (auth->priv->stream))
6fcf6b
+    {
6fcf6b
+      GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream));
6fcf6b
+
6fcf6b
+      local_error = NULL;
6fcf6b
+      credentials = g_socket_get_credentials (sock, &local_error);
6fcf6b
+
6fcf6b
+      if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED))
6fcf6b
+        {
6fcf6b
+          g_propagate_error (error, local_error);
6fcf6b
+          goto out;
6fcf6b
+        }
6fcf6b
+      else
6fcf6b
+        {
6fcf6b
+          /* Clear the error indicator, so we can retry with
6fcf6b
+           * g_unix_connection_receive_credentials() if necessary */
6fcf6b
+          g_clear_error (&local_error);
6fcf6b
+        }
6fcf6b
+    }
6fcf6b
+#endif
6fcf6b
+
6fcf6b
+  if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream))
6fcf6b
     {
6fcf6b
       local_error = NULL;
6fcf6b
       credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream),
6fcf6b
-- 
6fcf6b
2.23.0
6fcf6b
6fcf6b
From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001
6fcf6b
From: Simon McVittie <smcv@collabora.com>
6fcf6b
Date: Fri, 18 Oct 2019 10:55:09 +0100
6fcf6b
Subject: [PATCH] credentials: Invalid Linux struct ucred means "no
6fcf6b
 information"
6fcf6b
6fcf6b
On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one
6fcf6b
might expect it to fail with an appropriate error like ENOTSUP or
6fcf6b
EPROTONOSUPPORT. However, it appears that in fact it succeeds, but
6fcf6b
yields a credentials structure with pid 0, uid -1 and gid -1. These
6fcf6b
are not real process, user and group IDs that can be allocated to a
6fcf6b
real process (pid 0 needs to be reserved to give kill(0) its documented
6fcf6b
special semantics, and similarly uid and gid -1 need to be reserved for
6fcf6b
setresuid() and setresgid()) so it is not meaningful to signal them to
6fcf6b
high-level API users.
6fcf6b
6fcf6b
An API user with Linux-specific knowledge can still inspect these fields
6fcf6b
via g_credentials_get_native() if desired.
6fcf6b
6fcf6b
Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message
6fcf6b
on a receiving Unix socket, but the sending socket had not enabled
6fcf6b
SO_PASSCRED at the time that the message was sent, it is possible
6fcf6b
for it to succeed but yield a credentials structure with pid 0, uid
6fcf6b
/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even
6fcf6b
if we were to read those pseudo-files, we cannot distinguish between
6fcf6b
the overflow IDs and a real process that legitimately has the same IDs
6fcf6b
(typically they are set to 'nobody' and 'nogroup', which can be used
6fcf6b
by a real process), so we detect this situation by noticing that
6fcf6b
pid == 0, and to save syscalls we do not read the overflow IDs from
6fcf6b
/proc at all.
6fcf6b
6fcf6b
This results in a small API change: g_credentials_is_same_user() now
6fcf6b
returns FALSE if we compare two credentials structures that are both
6fcf6b
invalid. This seems like reasonable, conservative behaviour: if we cannot
6fcf6b
prove that they are the same user, we should assume they are not.
6fcf6b
6fcf6b
Signed-off-by: Simon McVittie <smcv@collabora.com>
6fcf6b
---
6fcf6b
 gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++---
6fcf6b
 1 file changed, 39 insertions(+), 3 deletions(-)
6fcf6b
6fcf6b
diff --git a/gio/gcredentials.c b/gio/gcredentials.c
6fcf6b
index c350e3c88..c4794ded7 100644
6fcf6b
--- a/gio/gcredentials.c
6fcf6b
+++ b/gio/gcredentials.c
6fcf6b
@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials)
6fcf6b
 
6fcf6b
 /* ---------------------------------------------------------------------------------------------------- */
6fcf6b
 
6fcf6b
+#if G_CREDENTIALS_USE_LINUX_UCRED
6fcf6b
+/*
6fcf6b
+ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED
6fcf6b
+ * is used on a TCP socket, it succeeds but yields a credentials structure
6fcf6b
+ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a
6fcf6b
+ * receiving Unix socket when the sending socket did not also enable
6fcf6b
+ * SO_PASSCRED, it can succeed but yield a credentials structure with
6fcf6b
+ * pid 0, uid /proc/sys/kernel/overflowuid and gid
6fcf6b
+ * /proc/sys/kernel/overflowgid.
6fcf6b
+ */
6fcf6b
+static gboolean
6fcf6b
+linux_ucred_check_valid (struct ucred  *native,
6fcf6b
+                         GError       **error)
6fcf6b
+{
6fcf6b
+  if (native->pid == 0
6fcf6b
+      || native->uid == -1
6fcf6b
+      || native->gid == -1)
6fcf6b
+    {
6fcf6b
+      g_set_error_literal (error,
6fcf6b
+                           G_IO_ERROR,
6fcf6b
+                           G_IO_ERROR_INVALID_DATA,
6fcf6b
+                           _("GCredentials contains invalid data"));
6fcf6b
+      return FALSE;
6fcf6b
+    }
6fcf6b
+
6fcf6b
+  return TRUE;
6fcf6b
+}
6fcf6b
+#endif
6fcf6b
+
6fcf6b
 /**
6fcf6b
  * g_credentials_is_same_user:
6fcf6b
  * @credentials: A #GCredentials.
6fcf6b
@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials  *credentials,
6fcf6b
 
6fcf6b
   ret = FALSE;
6fcf6b
 #if G_CREDENTIALS_USE_LINUX_UCRED
6fcf6b
-  if (credentials->native.uid == other_credentials->native.uid)
6fcf6b
+  if (linux_ucred_check_valid (&credentials->native, NULL)
6fcf6b
+      && credentials->native.uid == other_credentials->native.uid)
6fcf6b
     ret = TRUE;
6fcf6b
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
6fcf6b
   if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid)
6fcf6b
@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials    *credentials,
6fcf6b
   g_return_val_if_fail (error == NULL || *error == NULL, -1);
6fcf6b
 
6fcf6b
 #if G_CREDENTIALS_USE_LINUX_UCRED
6fcf6b
-  ret = credentials->native.uid;
6fcf6b
+  if (linux_ucred_check_valid (&credentials->native, error))
6fcf6b
+    ret = credentials->native.uid;
6fcf6b
+  else
6fcf6b
+    ret = -1;
6fcf6b
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
6fcf6b
   ret = credentials->native.cmcred_euid;
6fcf6b
 #elif G_CREDENTIALS_USE_NETBSD_UNPCBID
6fcf6b
@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials    *credentials,
6fcf6b
   g_return_val_if_fail (error == NULL || *error == NULL, -1);
6fcf6b
 
6fcf6b
 #if G_CREDENTIALS_USE_LINUX_UCRED
6fcf6b
-  ret = credentials->native.pid;
6fcf6b
+  if (linux_ucred_check_valid (&credentials->native, error))
6fcf6b
+    ret = credentials->native.pid;
6fcf6b
+  else
6fcf6b
+    ret = -1;
6fcf6b
 #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED
6fcf6b
   ret = credentials->native.cmcred_pid;
6fcf6b
 #elif G_CREDENTIALS_USE_NETBSD_UNPCBID
6fcf6b
-- 
6fcf6b
2.23.0
6fcf6b