group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #11138
[Bug 1666358] Re: iio-sensor-proxy: Insecure configuration of dbus service
** Bug watch added: Debian Bug tracker #853951
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853951
** Also affects: iio-sensor-proxy (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853951
Importance: Unknown
Status: Unknown
** Bug watch added: github.com/hadess/iio-sensor-proxy/issues #41
https://github.com/hadess/iio-sensor-proxy/issues/41
** Also affects: iio-sensor-proxy via
https://github.com/hadess/iio-sensor-proxy/issues/41
Importance: Unknown
Status: Unknown
** Description changed:
The dbus configuration for iio-sensor-proxy allowed any process on the
system bus to send an org.freedesktop.DBus.Properties.Set() call to any
other process on the system bus, even if the destination process
expected to be only accessible by root.
https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2
This was fixed in the upstream version 2.1
and in Debian's 2.0-4 (which was autosynced to zesty).
I'll prepare debdiff's containing the Debian fix for xenial and yakkety.
Test Case
=========
dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
--print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar
Bad response:
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
'org.freedesktop.DBus.Properties' on object at path /
Good response:
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
interface="org.freedesktop.DBus.Properties" member="Set" error
name="(unset)" requested_reply="0"
destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
comm="/usr/lib/NetworkManager/nm-dispatcher ")
+
+ Testing Done So Far
+ ==================
+ None
** Patch added: "iio-sensor-proxy-lp1666358-xenial.debdiff"
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+attachment/4823031/+files/iio-sensor-proxy-lp1666358-xenial.debdiff
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1666358
Title:
iio-sensor-proxy: Insecure configuration of dbus service
Status in Iio Sensor Proxy:
Unknown
Status in iio-sensor-proxy package in Ubuntu:
New
Status in iio-sensor-proxy source package in Xenial:
New
Status in iio-sensor-proxy source package in Yakkety:
New
Status in iio-sensor-proxy package in Debian:
Unknown
Bug description:
The dbus configuration for iio-sensor-proxy allowed any process on the
system bus to send an org.freedesktop.DBus.Properties.Set() call to
any other process on the system bus, even if the destination process
expected to be only accessible by root.
https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2
This was fixed in the upstream version 2.1
and in Debian's 2.0-4 (which was autosynced to zesty).
I'll prepare debdiff's containing the Debian fix for xenial and
yakkety.
Test Case
=========
dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
--print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar
Bad response:
Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
'org.freedesktop.DBus.Properties' on object at path /
Good response:
Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
interface="org.freedesktop.DBus.Properties" member="Set" error
name="(unset)" requested_reply="0"
destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
comm="/usr/lib/NetworkManager/nm-dispatcher ")
Testing Done So Far
==================
None
To manage notifications about this bug go to:
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+subscriptions
References
