Hi Supriti,
On 07/24/2017 01:07 PM, Supriti Singh wrote:
Hello all,
I have submitted a new patch https://review.gerrithub.io/#/c/370835/ to allow
only root users to access the dbus.In the
current dbus configuration, there are some security issues. For example, even a
non-root user can call shutdown on a
ganesha process started by root. The easiest way to fix is to allow only root
for now.
Apart from shutting down ganesha process, are there any other security
issues which you are aware of? We had one user reporting a security
threat with using DBus a while ago but hadn't provided much details.
For 2.6, we can have a better solution. As I understood, the plan is to support
non-root as well in future. May be we
can have either a user group "ganesha" and we allow only these users to have
access.
+1
This is simple and similar to what Kaleb had suggested to make ganesha
process be able to run by non-root user. But yes instead of tweaking
the .conf file manually, if no one objects we can add it to default
configuration.
The other solution would be to handle authorization in code. For example, using
api dbus_bus_get_unix_user()
[https://dbus.freedesktop.org/doc/api/html/group__DBusBus.html#ga24d782c710f3d82caf1b1ed582dcf474]
I have just started
looking into it. May be this solution is intrusive and hard to maintain. I will
research a bit more.
Please let me know your thoughts.
I do not know how complicated it shall be, but as long as there is a way
for ganesha service to get credentials of the user executing dbus
command to compare with this unix_user, it should be good IMO.
Thanks,
Soumya
[1] http://seclists.org/oss-sec/2016/q4/349
Thanks,
Supriti
------
Supriti Singh SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham
Norton,
HRB 21284 (AG Nürnberg)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel
