From 6a010ac9e5aa585637b4b79df92f8ca5537faf71 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 4 Jun 2014 09:55:40 +0200 Subject: [PATCH] bus-proxy: drop priviliges if we can Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client. --- Makefile.am | 1 + src/bus-proxyd/bus-proxyd.c | 34 ++++++++++++++++++++++++---- src/shared/capability.c | 10 ++++---- units/systemd-bus-proxyd@.service.in | 6 +++-- 4 files changed, 40 insertions(+), 11 deletions(-) diff --git a/Makefile.am b/Makefile.am index de4242491..d778b31b0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2033,6 +2033,7 @@ systemd_bus_proxyd_SOURCES = \ src/bus-proxyd/bus-proxyd.c systemd_bus_proxyd_LDADD = \ + libsystemd-capability.la \ libsystemd-internal.la \ libsystemd-shared.la diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index e095d61ff..98b2ffd7d 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -44,9 +44,11 @@ #include "build.h" #include "strv.h" #include "def.h" +#include "capability.h" static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH; static char *arg_command_line_buffer = NULL; +static bool arg_drop_privileges = false; static int help(void) { @@ -54,6 +56,7 @@ static int help(void) { "Connect STDIO or a socket to a given bus address.\n\n" " -h --help Show this help\n" " --version Show package version\n" + " --drop-privileges Drop privileges\n" " --address=ADDRESS Connect to the bus specified by ADDRESS\n" " (default: " DEFAULT_SYSTEM_BUS_PATH ")\n", program_invocation_short_name); @@ -66,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_ADDRESS, + ARG_DROP_PRIVILEGES, }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "address", required_argument, NULL, ARG_ADDRESS }, - { NULL, 0, NULL, 0 } + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "address", required_argument, NULL, ARG_ADDRESS }, + { "drop-privileges", no_argument, NULL, ARG_DROP_PRIVILEGES }, + { NULL, 0, NULL, 0 }, }; int c; @@ -97,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) { arg_address = optarg; break; + case ARG_DROP_PRIVILEGES: + arg_drop_privileges = true; + break; + case '?': return -EINVAL; @@ -440,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) { return false; } - static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { int r; @@ -1065,6 +1073,22 @@ int main(int argc, char *argv[]) { getpeersec(in_fd, &peersec); } + if (arg_drop_privileges) { + const char *user = "systemd-bus-proxy"; + uid_t uid; + gid_t gid; + + r = get_user_creds(&user, &uid, &gid, NULL, NULL); + if (r < 0) { + log_error("Cannot resolve user name %s: %s", user, strerror(-r)); + goto finish; + } + + r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER); + if (r < 0) + goto finish; + } + r = sd_bus_new(&a); if (r < 0) { log_error("Failed to allocate bus: %s", strerror(-r)); diff --git a/src/shared/capability.c b/src/shared/capability.c index 439aac7ea..d2b901337 100644 --- a/src/shared/capability.c +++ b/src/shared/capability.c @@ -85,9 +85,9 @@ unsigned long cap_last_cap(void) { } int capability_bounding_set_drop(uint64_t drop, bool right_now) { - unsigned long i; - _cleanup_cap_free_ cap_t after_cap = NULL, temp_cap = NULL; + _cleanup_cap_free_ cap_t after_cap = NULL; cap_flag_value_t fv; + unsigned long i; int r; /* If we are run as PID 1 we will lack CAP_SETPCAP by default @@ -103,6 +103,7 @@ int capability_bounding_set_drop(uint64_t drop, bool right_now) { return -errno; if (fv != CAP_SET) { + _cleanup_cap_free_ cap_t temp_cap = NULL; static const cap_value_t v = CAP_SETPCAP; temp_cap = cap_dup(after_cap); @@ -217,8 +218,6 @@ int capability_bounding_set_drop_usermode(uint64_t drop) { int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { _cleanup_cap_free_ cap_t d = NULL; - cap_value_t bits[sizeof(keep_capabilities)*8]; - unsigned i, j = 0; int r; /* Unfortunately we cannot leave privilege dropping to PID 1 @@ -265,6 +264,9 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { return log_oom(); if (keep_capabilities) { + cap_value_t bits[sizeof(keep_capabilities)*8]; + unsigned i, j = 0; + for (i = 0; i < sizeof(keep_capabilities)*8; i++) if (keep_capabilities & (1ULL << i)) bits[j++] = i; diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in index fafd4ce03..3dc2cd9e6 100644 --- a/units/systemd-bus-proxyd@.service.in +++ b/units/systemd-bus-proxyd@.service.in @@ -12,9 +12,11 @@ Description=Legacy D-Bus Protocol Compatibility Daemon # The first argument will be replaced by the service by information on # the process requesting the proxy, we need a placeholder to keep the # space available for this. -ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NotifyAccess=main -CapabilityBoundingSet=CAP_IPC_OWNER +CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes +ReadOnlySystem=yes +ProtectedHome=yes -- 2.30.2