[Bug 1202059] New: AUDIT-0: ruby3.1-rubygem-d-installer: review of D-Bus services org.opensuse.DInstaller (and friends)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 Bug ID: 1202059 Summary: AUDIT-0: ruby3.1-rubygem-d-installer: review of D-Bus services org.opensuse.DInstaller (and friends) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: igonzalezsosa@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- Hi all, As you might know, we are working on a YaST and web-based experimental installer (https://github.com/yast/d-installer). It uses a set of D-Bus services: * org.opensuse.DInstaller * org.opensuse.DInstaller.Language * org.opensuse.DInstaller.Software * org.opensuse.DInstaller.Users Most probably we are going to add more services in the near future. We have defined them in a D-Bus configuration file: https://github.com/yast/d-installer/blob/master/service/share/dbus.conf (is installed as /etc/dbus-1/system.d/org.opensuse.DInstaller.conf). While trying to submit D-installer to factory, we found out that we need some validation from the security point of view (see https://build.opensuse.org/package/live_build_log/openSUSE:Factory:Staging:a...). So my first question is, should we have one D-Bus configuration file per service? If that's the case, I will split services and D-Bus configuration files. Any other comment? Thanks in advance! Regards, Imo -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 Imobach Gonzalez Sosa <igonzalezsosa@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|yast2-maintainers@suse.de |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c10 --- Comment #10 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- Hi Matthias, Thanks a lot for having a look! (In reply to Matthias Gerstner from comment #9)
I had a quick first look at the integration found in YaST:Head:D-Installer/rubygem-d-installer labeled with version 0.4.2-2.5.
The D-Bus interface looks pretty large and dynamic. Since this is for installing Linux onto the host the security posture for it probably will be different than for regular D-Bus services. The clients of this D-Bus service will have root-like power, if I am not mistaken, because they will be able to trigger the installation of the system. Am I correct in this?
Yes, you are correct about this. It is expected to be used as root in the installation media only.
Apart from this first look I noticed a few other things:
- the D-Bus XML configuration is installed into /etc/dbus-1/system.d/org.opensuse.DInstaller.conf, there is an effort to move all these configuration files to /usr/share/dbus-1/system.d instead. We should not add new packages with the old path in use.
OK, understood. We are moving this file to /usr/share/dbus-1/system.d. See https://github.com/yast/d-installer/pull/254.
- the autostart of the D-Bus service does not seem to work. It is configured in /usr/share/dbus-1/system-services/org.opensuse.DInstaller.service and specifies "SystemdService=d-installer. When attempting to talk to the service without it already running I get the following error though:
$ gdbus introspect -y -d org.opensuse.DInstaller -o /org/opensuse/DInstaller/Manager1 Error: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: Unit name d-installer is not valid.
Are you trying the service on an already installed system? In the installation media it seems to work, but I will have a look.
After starting the service manually the introspection call works, though.
Regards, Imo -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c12 --- Comment #12 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- (In reply to Matthias Gerstner from comment #11)
Yes, you are correct about this. It is expected to be used as root in the installation media only.
So the *service* runs as root or also the *clients* ?
[..] Actually, the client does not need to run as root at all. Actually, we use Cockpit as a transport, so the client (which is a browser) can run with any user as long as we use Cockpit to authenticate. Restricting the access to only the root user should not be a problem when using D-Installer in the installation ISO (as we run everything as root). And in the future, if we decide to use a dedicated user in the installation ISO, I guess we could play some polkit trick to avoid authentication in the local system. Or am I wrong?
$ gdbus introspect -y -d org.opensuse.DInstaller -o /org/opensuse/DInstaller/Manager1 Error: GDBus.Error:org.freedesktop.DBus.Error.InvalidArgs: Unit name d-installer is not valid.
Are you trying the service on an already installed system? In the installation media it seems to work, but I will have a look.
Yes I tested in on a current Tumbleweed installation.
Oh, that's interesting, because it works for me using the version in the D-Installer OBS project (https://build.opensuse.org/package/show/YaST:Head:D-Installer/rubygem-d-inst...). You must ensure that the "d-installer" service is running, as it is disabled by default. Could you check whether that was the case? Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c14 --- Comment #14 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- (In reply to Matthias Gerstner from comment #13)
The point I wanted to make is that regardless with user the client runs as, by having access to the installer D-Bus service it can do more or less what it wants on the system (like installing Linux on any block device, setting up passwords etc.). Right?
Yes.
I would suggest that you use the D-Bus configuration to only allow a dedicated user to communicate with the service (maybe in the beginning root, later maybe some other user account). When you come up with that new config file I can whitelist the stuff.
OK, it makes sense. We are restricting the access to the root user only by now (see https://github.com/yast/d-installer/pull/267). [..]
After starting the service it works, but the service should also *autostart* due to the configuration files in the package. That is where the error above is coming from, the autostarting somehow failed.
Autostarting the installer maybe isn't the best idea anyway, it should always be explicitly started. But then you shouldn't ship an autostart config.
That's true. The service name was wrong, but I agree that it does not make much sense. So in the same PR (https://github.com/yast/d-installer/pull/267) I am dropping the D-Bus service file. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c16 Imobach Gonzalez Sosa <igonzalezsosa@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |igonzalezsosa@suse.com Flags| |needinfo?(igonzalezsosa@sus | |e.com) --- Comment #16 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- We plan to release a new version by the end of the next week. I will submit the package then. Thanks! PS: I am putting the needinfo on me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c24 Imobach Gonzalez Sosa <igonzalezsosa@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(igonzalezsosa@sus | |e.com) | --- Comment #24 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- Hi Matthias, Finally, we released a new version, and we have updated the package in YaST:Head:D-Installer/rubygem-d-installer[1]. I hope it is better now. Thanks! [1] https://build.opensuse.org/package/show/YaST:Head:D-Installer/rubygem-d-inst... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c26 --- Comment #26 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1202059) was mentioned in https://build.opensuse.org/request/show/1037256 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c27 --- Comment #27 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1202059) was mentioned in https://build.opensuse.org/request/show/1037304 Factory / rpmlint -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1202059 http://bugzilla.opensuse.org/show_bug.cgi?id=1202059#c28 --- Comment #28 from Imobach Gonzalez Sosa <igonzalezsosa@suse.com> --- After adapting the code, we have submitted the packages again: - https://build.opensuse.org/request/show/1038843 - https://build.opensuse.org/request/show/1038844 - https://build.opensuse.org/request/show/1038845 Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com