Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
In its default configuration, pbbuttonsd will accept commands via IPC from any user. How to reproduce: 1. Start pbbuttonsd (by its initscript). 2. As non-root user, say "pbbcmd hibernate" or "pbbcmd ejectcd". pbbuttonsd will accept the command and put the system to sleep or eject the medium. The problem can be easily fixed by allowing only the root user (or no user at all) in /etc/pbbuttonsd.conf .
ppc please have a look and provide new ebuilds with a more secure default config, thx.
Changing this to root will break all existing pbbuttonsd installs, so I'm not sure it's the right way to go. The current setting is upstream's default configuration and they do provide the option to change it if you're not comfortable with the default behaviour. Perhaps it would be better if we simply added an ewarn to inform the user that the option is there? I'd rather do this then have to deal with the flurry of "pbbuttonsd is broken" bugs that would ensue if we made this change.
mhhhh, well - the GLSA coordinator guide is pretty clear about default configs: "Gentoo packages should be as secure by default as possible. Default configuration bugs are filed when the default configuration shipped with the package can be improved in terms of security". But however, I think that in this special case the security improvement doesn't justify the trouble, so ewarn should be enough? Any comments from other security devs? josejx: if nobody replies during the next days, feel free to commit with the ewarn
(In reply to comment #2) > Changing this to root will break all existing pbbuttonsd installs, I don't buy this argument. /etc/pbbuttonsd.conf is config-protected (and I would expect it to be heavily customised for most users). By changing the default you won't break anything for existing installations.
I tend to agree with comment #4. At least a note in the config file would be nice.
Sorry for the confusion, I meant to say "new installs" instead of "existing installs". Changing this setting to something (anything) will result in a broken pbbuttonsd "out of the box". The config file as provided by upstream says: #userallowed = "paranoid" ; user who is allowed to use IPC As the first configuration line in the config file. Unfortunately, there is no configuration option to let a group use IPC, only one user. It's also been my experience that most users do not change the pbbuttonsd config from the default, so I'm not sure if a more verbose description in the config would help either. I'm not trying to be difficult, but I don't see the benefit of breaking pbbuttonsd "out of the box". Not to trivialize security, but pbbuttonsd is meant to be run on a laptop with a single user.
Apart from the fact that many users probably don't know what IPC is, I tend to think that this is sufficient. Sec devs any other opinion?
This is what I added: ewarn "If you need extra security, you can tell pbbuttonsd to only accept" ewarn "input from one user. You can set the userallowed option in" ewarn "/etc/pbbuttonsd.conf to limit access." einfo Feel free to reopen the bug if you think this is not enough.
Sounds good to me.
