Bug 124942 - app-laptop/pbbuttonsd-0.7.4 allows IPC for all users
|
Bug#:
124942
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: ulm@gentoo.org
|
|
Component: Default Configs
|
|
|
URL:
|
|
Summary: app-laptop/pbbuttonsd-0.7.4 allows IPC for all users
|
|
Keywords:
|
|
Status Whiteboard: B4 [noglsa] DerCorny
|
|
Opened: 2006-03-04 05:54 0000
|
In its default configuration, pbbuttonsd will accept commands via IPC from any
user.
How to reproduce:
1. Start pbbuttonsd (by its initscript).
2. As non-root user, say "pbbcmd hibernate" or "pbbcmd ejectcd".
pbbuttonsd will accept the command and put the system to sleep or eject the
medium.
The problem can be easily fixed by allowing only the root user (or no user at
all) in /etc/pbbuttonsd.conf .
ppc please have a look and provide new ebuilds with a more secure default
config, thx.
Changing this to root will break all existing pbbuttonsd installs, so I'm not
sure it's the right way to go. The current setting is upstream's default
configuration and they do provide the option to change it if you're not
comfortable with the default behaviour. Perhaps it would be better if we simply
added an ewarn to inform the user that the option is there? I'd rather do this
then have to deal with the flurry of "pbbuttonsd is broken" bugs that would
ensue if we made this change.
mhhhh, well - the GLSA coordinator guide is pretty clear about default configs:
"Gentoo packages should be as secure by default as possible. Default
configuration bugs are filed when the default configuration shipped with the
package can be improved in terms of security".
But however, I think that in this special case the security improvement doesn't
justify the trouble, so ewarn should be enough? Any comments from other
security devs?
josejx: if nobody replies during the next days, feel free to commit with the
ewarn
(In reply to comment #2)
> Changing this to root will break all existing pbbuttonsd installs,
I don't buy this argument.
/etc/pbbuttonsd.conf is config-protected (and I would expect it to be heavily
customised for most users). By changing the default you won't break anything
for existing installations.
I tend to agree with comment #4. At least a note in the config file would be
nice.
Sorry for the confusion, I meant to say "new installs" instead of "existing
installs". Changing this setting to something (anything) will result in a
broken pbbuttonsd "out of the box".
The config file as provided by upstream says:
#userallowed = "paranoid" ; user who is allowed to use IPC
As the first configuration line in the config file. Unfortunately, there is no
configuration option to let a group use IPC, only one user.
It's also been my experience that most users do not change the pbbuttonsd
config from the default, so I'm not sure if a more verbose description in the
config would help either.
I'm not trying to be difficult, but I don't see the benefit of breaking
pbbuttonsd "out of the box". Not to trivialize security, but pbbuttonsd is
meant to be run on a laptop with a single user.
Apart from the fact that many users probably don't know what IPC is, I tend to
think that this is sufficient. Sec devs any other opinion?
This is what I added:
ewarn "If you need extra security, you can tell pbbuttonsd to only accept"
ewarn "input from one user. You can set the userallowed option in"
ewarn "/etc/pbbuttonsd.conf to limit access."
einfo
Feel free to reopen the bug if you think this is not enough.
