Bug 436106

Summary:	x11-libs/libtinynotify-systemwide no longer works with dbus' dbus-1.6.4-CVE-2012-3524* patch
Product:	Gentoo Linux	Reporter:	Michał Górny <mgorny>
Component:	Current packages	Assignee:	Michał Górny <mgorny>
Status:	RESOLVED FIXED
Severity:	normal	CC:	freedesktop-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Michał Górny archtester

2012-09-24 13:41:57 UTC

$ tinynotify-send -w dupa
Connecting to D-Bus failed: Unable to autolaunch when setuid

https://bitbucket.org/mgorny/libtinynotify-systemwide/src/master/lib/tinynotify-systemwide.c

I'd appreciate if someone helped me make it work now...

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 13:44:45 UTC

normal `notify-send` works fine here...

Comment 2 Michał Górny archtester

2012-09-24 13:47:15 UTC

(In reply to comment #1)
> normal `notify-send` works fine here...

No, it won't. Try it as root. That's a case for libtinynotify-systemwide.

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 13:51:18 UTC

you have dbus covering your X11 session, right?

 ps -C dbus-launch
  PID TTY          TIME CMD
10129 tty1     00:00:00 dbus-launch

$ export |grep DBUS
declare -x DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-HsImV5Woja,guid=e8b284b1533869ec04b157c2505d9e08"

as in, ~/.xinitrc has something like "dbus-launch --exit-with-session openbox-session" (just a crude example)

Comment 4 Michał Górny archtester

2012-09-24 13:53:10 UTC

(In reply to comment #3)
> you have dbus covering your X11 session, right?

Yes.

Comment 5 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 13:55:21 UTC

su, sudo -s, sudo -i, ... everytime it keeps working here, and nobody would run X11 as root (so I don't know what to tell you, tested with 3 different desktops and with lightdm and startx)

Comment 6 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 13:57:51 UTC

(In reply to comment #5)
> su, sudo -s, sudo -i, ... everytime it keeps working here, and nobody would
> run X11 as root (so I don't know what to tell you, tested with 3 different
> desktops and with lightdm and startx)

(tested obviously with normal libnotify, not touching this tinynotify stuff, sorry)

Comment 7 Michał Górny archtester

2012-09-24 14:06:47 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > su, sudo -s, sudo -i, ... everytime it keeps working here, and nobody would
> > run X11 as root (so I don't know what to tell you, tested with 3 different
> > desktops and with lightdm and startx)
> 
> (tested obviously with normal libnotify, not touching this tinynotify stuff,
> sorry)

I guess I'll have to end up forking and dropping privileges completely rather than using setresuid() to maintain ability to switch back... or I could use capabilities.

Comment 8 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 14:08:39 UTC

might try applying this on top of =dev-libs/glib-2.32* and retest,

http://pkgs.fedoraproject.org/cgit/glib2.git/diff/0001-CVE-2012-3524-Hardening-for-being-run-in-a-setuid-en.patch?h=f17

the better fix should be in 2.34, the dbus patch is also only a temporary and i'm dropping it from next release...

Comment 9 Samuli Suominen (RETIRED) gentoo-dev

2012-09-24 14:15:04 UTC

seen https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3524 ?

Comment 10 Michał Górny archtester

2012-09-24 14:26:01 UTC

I don't think either is really relevant. I guess I was using the hole which is now closed. I can use the other one which will work until someone notices 'hey, capabilities provide yet another hole!' or just start forking like crazy.

Comment 11 Michał Górny archtester

2012-09-24 18:09:55 UTC

Ok, fixed through forking in -0.1.