https://bugzilla.suse.com/show_bug.cgi?id=1211374 https://bugzilla.suse.com/show_bug.cgi?id=1211374#c23 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|matthias.gerstner@suse.com |hillwoodroc@gmail.com Summary|AUDIT-WHITELIST: |AUDIT-TRACKER: |deepin-app-services: new |deepin-app-services: new |dbus services of |dbus services of |deepin-app-services |deepin-app-services --- Comment #23 from Matthias Gerstner <matthias.gerstner@suse.com> --- Sorry for the long delay. I looked into the current status of deepin-app-services just now. While the findings I reported before have been addressed by now, I am still not happy with the current state of the D-Bus services offered here. In the org.desktopspec.ConfigManager interface: - setDelayReleaseTime(): takes a signed integer (milliseconds) after which time registered applications are automatically removed again. This parameter can also be negative, and it will be passed on as a negative value directory to QTimer. The code tries to prevent a too large value here, but negative values could have a similar effect (e.g. disabling the timer completely). This case should be caught. - enableVerboseLogging(), disableVerboseLogging(), setLogRules(in s rules): these methods allow to completely control the QLogger setup of the daemon. This should be restricted to privileged users, or at least to users in a local graphical session. - sync(in s path): There are checks for this path in `getMetaConfigureId()`, but the regular expressions used there only check that the suffix of the path ends in "configs/<subpath>/<resource>.json". The caller can create a structure in its home directory e.g. in $HOME/configs/myapp/myid/myconfig.json, and the path will be accepted. An access() is made on this path, following symlinks, so it can be used for file existence tests (although the service does run as a dedicated service user). Only the "subpath" will be stored for the configuration key, but the call should still be rejected if the file is not found in /usr/share/.../config. - acquireManagerV2(in u uid, in s appid, in s name, in s subpath, out o path): This method allows arbitrary local users to create a key/value store for an arbitrary "uid" and any locally registered apps found in /usr/share/dsg/configs. It allows to access the key/value stores of other users in the system without any privilege checks. Example: # increase the release time so newly created interfaces stay around for long enough gdbus call -y -d org.desktopspec.ConfigManager -o / -m org.desktopspec.ConfigManager.setDelayReleaseTime '300000' # this will create a new key/value store for the example dconfig app, # supposedly belonging to "uid 0", i.e. root gdbus call -y -d org.desktopspec.ConfigManager -o / -m org.desktopspec.ConfigManager.acquireManagerV2 0 dconfig-example example a # get the current configuration value for "canExit" gdbus call -y -d org.desktopspec.ConfigManager -o /dconfig_example/examplea/0 -m org.desktopspec.ConfigManager.Manager.value canExit (<true>,) # change the value to false gdbus call -y -d org.desktopspec.ConfigManager -o /dconfig_example/examplea/0 -m org.desktopspec.ConfigManager.Manager.setValue canExit '<boolean false>' These calls can be performed by any local user, even 'nobody'. Apart from the concrete issues listed above What is missing here is: - Polkit authentication. Only users in a local graphical session should be able to use this service. - User isolation. One user should not be able to access another user's configuration. `uid` should not be passed as a parameter, but the caller's UID should be fetched from the D-Bus connection. I'm turning this bug into a TRACKER bug and reassigning it to you, this needs to be address by upstream. -- You are receiving this mail because: You are on the CC list for the bug.