Matt Fischer [Wed, 20 Feb 2013 21:23:42 +0000 (15:23 -0600)]
Set default maximum number of Unix fds according to OS
QNX has an arbitrary limit to the number of file descriptors
which may be passed in a message, which is smaller than the
current default. This patch therefore changes the default from
a hardcoded constant to a macro, which is determined at configure
time by looking at the host operating system.
[This reduces the limit from 4096 (session)/1024 (system) to 128 fds
per message on QNX, and 1024 fds per message on other operating systems.
I think the reduced session bus limit on other OSs is a reasonable change
too, given that the default hard/soft ulimits in Linux are only 4096/1024
fds per process. -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=61176 Reviewed-by: Simon McVittie <simon.mcvittie.collabora.co.uk>
Simon McVittie [Fri, 5 Apr 2013 12:28:54 +0000 (13:28 +0100)]
Do not suppress syslog test's stderr just because init is systemd
This causes the test to fail. The assumption implicitly being made was
"if pid 1 is systemd, then every caller of _dbus_init_system_log() is a
systemd service" which is not valid for the regression test.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63163 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Simon McVittie [Mon, 18 Feb 2013 14:27:48 +0000 (14:27 +0000)]
Don't warn for functions deprecated since GLib 2.26
Also warn if we inadvertently use a function introduced since then.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59971 Reviewed-by: Colin Walters <walters@verbum.org>
Dan Williams [Thu, 4 Apr 2013 15:49:18 +0000 (10:49 -0500)]
Don't access random memory if data slot isn't allocated yet
If DBUS_DISABLE_ASSERTS was turned on, and a buggy program called
dbus_connection_get_data() with a slot number less than zero (eg,
before even allocating the data slot), random memory would be
accessed and a random value returned. Anything less than zero
is not a valid slot number and should be rejected by libdbus.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63127 Signed-off-by: Dan Williams <dcbw@redhat.com> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Fri, 8 Mar 2013 12:55:32 +0000 (13:55 +0100)]
Add function _dbus_get_peer_pid_from_tcp_handle() which returns pid and sid from tcp connection peer.
This function is called by _dbus_read_credentials_socket() to fetch client credentials.
Because Wine is used to check cross compiled dbus for windows, in calls to GetExtendedTcpTable()
we use table class TCP_TABLE_OWNER_PID_ALL instead of TCP_TABLE_OWNER_PID_CONNECTIONS.
This class is the only one which is available since wine 1.5.3.
https://bugs.freedesktop.org/show_bug.cgi?id=61787 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Martin Pitt [Thu, 21 Mar 2013 08:37:48 +0000 (09:37 +0100)]
Update sd-daemon.[hc] from upstream
This fixes sd_booted() to actually mean "have systemd init", which we need for
_dbus_init_system_log() to decide whether systemd journal is being used.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=62585 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 18 Feb 2013 14:30:22 +0000 (14:30 +0000)]
Include config.h as the first thing in every .c file
...except for CheckForAbstractSockets.c, which runs before config.h is
generated, and sd-daemon.c, which is externally-maintained.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59971 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Simon McVittie [Mon, 18 Feb 2013 14:27:48 +0000 (14:27 +0000)]
Don't warn for functions deprecated since GLib 2.26
Also warn if we inadvertently use a function introduced since then.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59971 Reviewed-by: Colin Walters <walters@verbum.org>
Simon McVittie [Thu, 14 Feb 2013 13:30:19 +0000 (13:30 +0000)]
Eliminate unwanted whitespace from the man pages' XML source
As demanded by the git commit hook set up by autogen.sh, this eliminates
trailing whitespace on each line, and blank lines at EOF. We might as
well do this now, since every line in these files has changed anyway.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59805 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Thu, 14 Feb 2013 13:39:15 +0000 (13:39 +0000)]
Remove doclifter "signature" from Docbook man pages' source
This no longer serves any purpose, and might mislead contributors
into thinking that this XML is not the source for the man pages.
(The man(7)-formatted man pages used to be the canonical source for
the XML, but now it's the other way round.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59805 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Ralf Habacker [Sat, 16 Feb 2013 10:06:43 +0000 (11:06 +0100)]
Removed precarious cross compile shell script.
CMake provides a standardized way to cross compile packages by
using -DCMAKE_TOOLCHAIN_FILE at configure time.
Also recent distributions like opensuse provides up to date native mingw
binary packages and cross compile packages which reduces the cross
compile setup to package installation and setup of a cross tool chain file
as documented at http://www.vtk.org/Wiki/CMake_Cross_Compiling.
https://bugs.freedesktop.org/show_bug.cgi?id=59733 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Matt Fischer [Tue, 5 Feb 2013 00:14:31 +0000 (18:14 -0600)]
Add poll constants for QNX
The QNX operating system uses different values for its poll
constants, so they must be added into dbus-sysdeps.h in order
for poll() to work correctly.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=60339 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
<servicehelper> is not supported in the included config file, i. e. it's
not merged in merge_included(). There's clearly no reason it shouldn't
be supported in the included config file along with <user>, <type>
and others. It's quite reasonable for a client willing to override the
default servicehelper, e. g. in system-local.conf.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=51560 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 28 Jan 2013 18:55:10 +0000 (19:55 +0100)]
CMake build system fix: Lets check for xmlto doc book generator first.
We shouldn't try to build the documentation with meinproc *and* xmlto.
Prefer xmlto, since it's also the one we use under Autotools.
We still need to support meinproc as a fallback, because xmlto isn't
available on Windows.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=59733 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 19 Nov 2012 15:21:57 +0000 (15:21 +0000)]
NEWS
As well as documenting recent changes, this sorts out some divergence
between the master and dbus-1.6 versions of NEWS, so the 1.6 entries
are the same as in the corresponding releases.
Simon McVittie [Mon, 13 Aug 2012 18:43:12 +0000 (19:43 +0100)]
configure: redo pthread check to check for more things
In principle, anything in the pthread namespace might either be in the
platform-specific thread library (libpthread or libpthreads or libthreads
or ...), or in libc.
In particular, it seems that pthread_mutexattr_init and
pthread_mutexattr_settype are in libpthread, not libc, on Linux. We
previously didn't (intentionally) look for them in libpthread, only
in libc; so this check deserved to fail.
However, a faulty configure check for pthread_cond_timedwait
worked around this on Linux by checking for -lpthread and adding it
to THREAD_LIBS if pthread_cond_timedwait *was* found in libc (even
though that behaviour makes no sense).
The practical impact was that D-Bus would fail to compile on platforms
where pthread_cond_timedwait is in a special threading library that
is not linked by default, and at least one of
(pthread_mutexattr_init, pthread_mutexattr_settype) is also in a
special threading library. This is the case on at least OpenBSD
(fd.o #54416).
So far I've only added checks for the new symbols introduced by
using recursive pthreads mutexes. If we get reports of compilation
failures on weird platforms, we can check for more symbols.
Also clarify the indentation, which was turning into quite a mess,
and use AS_IF instead of if/elif/else/fi in accordance with Autoconf
best-practice.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=47239 Reviewed-by: Colin Walters <walters@verbum.org>
Simon McVittie [Fri, 9 Nov 2012 14:24:26 +0000 (14:24 +0000)]
Don't include generated documentation in the tarball
Building it unconditionally causes problems for minimal installations
(OSTree), and building it opportunistically means the tarball isn't
guaranteed to contain it, depending who releases libdbus and which
packages they happen to have installed at the time. If this documentation
is important enough that we need to ship it precompiled in tarballs,
we should guarantee it; or if it isn't important enough to justify that,
we should just drop it.
I don't think we really need it in the tarballs at all: most users
will get their libdbus from a binary distribution (in which case I expect
the distribution's dbus maintainers to set appropriate
build-dependencies), and those who build from source can either
install xmlto, read the documentation on our website, or at worst,
read the source XML. (We don't put the Doxygen-generated API reference
HTML in the tarball either, and I haven't heard any complaints.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=55426 Reviewed-by: Colin Walters <walters@verbum.org>
Arun Raghavan [Fri, 12 Oct 2012 16:22:03 +0000 (21:52 +0530)]
Fix building with newer Valgrind
Newer valgrind (tried with 3.8.0) defines macros so that a terminating
semi-colon is required. This fixes usage to follow that convention.
[edited to remove comments that are no longer useful -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=55932 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ray Strode [Tue, 16 Oct 2012 18:38:28 +0000 (14:38 -0400)]
dbus-spawn: set SIGPIPE to SIG_IGN before activating services
dbus's service activation code sets SIGPIPE to SIG_DFL as a
sort of poor man's prctl(... PR_SET_PDEATHSIG) to detect when
the parent goes away.
It neglects to reignore the infamous signal before performing
activation, however.
This means if, for instance, journald is restarted all
services activated after it will die with SIGPIPE when logging
messages unless they explicitly ignore SIGPIPE themselves.
This commit changes dbus's service activation code to correctly
ignore SIGPIPE to protect activated services from a gruesome,
premature death.
Reviewed-by: Lennart Poettering <lennart@poettering.net>
https://bugzilla.redhat.com/show_bug.cgi?id=839258
Simon Peeters [Sun, 7 Oct 2012 14:59:30 +0000 (16:59 +0200)]
Set correct address when using --address=systemd:
When dbus gets launched through systemd, we need to create an address
string based on the sockets passed.
The _dbus_append_addres_from_socket() function is responsible for
extracting the address information from the file-descriptor and
formatting it in a dbus friendly way.
This fixes bus activation when running dbus under a systemd session.
Simon McVittie [Tue, 2 Oct 2012 08:34:48 +0000 (09:34 +0100)]
activation helper: when compiled for tests, do not reset system bus address
Otherwise, the tests try to connect to the real system bus, which will
often fail - particularly if you run the tests configured for the default
/usr/local (with no intention of installing the result), in which case
the tests would try to connect to /usr/local/var/run/dbus/system_bus_socket.
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=52202
Geoffrey Thomas [Fri, 28 Sep 2012 05:02:06 +0000 (22:02 -0700)]
activation-helper: Ensure DBUS_STARTER_ADDRESS is set correctly
The fix for CVE-2012-3524 filters out all environment variables if
libdbus is used from a setuid program, to prevent various spoofing
attacks.
Unfortunately, the activation helper is a setuid program linking
libdbus, and this creates a regression for launched programs using
DBUS_STARTER_ADDRESS, since it will no longer exist.
Fix this by hardcoding the starter address to the default system bus
address.
Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com> Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Fri, 28 Sep 2012 14:05:59 +0000 (10:05 -0400)]
hardening: Use __secure_getenv() in *addition* to _dbus_check_setuid()
This is a further security measure for the case of Linux/glibc
when we're linked into a binary that's using filesystem capabilities
or SELinux domain transitions (i.e. not plain old setuid).
In this case, _dbus_getenv () will return NULL because it will
use __secure_getenv(), which handles those via AT_SECURE.
Colin Walters [Fri, 28 Sep 2012 01:29:29 +0000 (21:29 -0400)]
hardening: Use __secure_getenv if available
This helps us in the case where we were executed via filesystem
capabilities or a SELinux domain transition, not necessarily a plain
old setuid binary.
Colin Walters [Wed, 22 Aug 2012 14:03:34 +0000 (10:03 -0400)]
CVE-2012-3524: Don't access environment variables or run dbus-launch when setuid
This matches a corresponding change in GLib. See
glib/gutils.c:g_check_setuid().
Some programs attempt to use libdbus when setuid; notably the X.org
server is shipped in such a configuration. libdbus never had an
explicit policy about its use in setuid programs.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
How to determine whether or not we're running in a privilege-escalated
path is operating system specific. Note that GTK+'s code to check
euid versus uid worked historically on Unix, more modern systems have
filesystem capabilities and SELinux domain transitions, neither of
which are captured by the uid comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-by: Sebastian Krahmer <krahmer@suse.de> Signed-off-by: Colin Walters <walters@verbum.org>
Geoffrey Thomas [Fri, 28 Sep 2012 05:02:06 +0000 (22:02 -0700)]
activation-helper: Ensure DBUS_STARTER_ADDRESS is set correctly
The fix for CVE-2012-3524 filters out all environment variables if
libdbus is used from a setuid program, to prevent various spoofing
attacks.
Unfortunately, the activation helper is a setuid program linking
libdbus, and this creates a regression for launched programs using
DBUS_STARTER_ADDRESS, since it will no longer exist.
Fix this by hardcoding the starter address to the default system bus
address.
Signed-off-by: Geoffrey Thomas <gthomas@mokafive.com> Signed-off-by: Colin Walters <walters@verbum.org>
Colin Walters [Fri, 28 Sep 2012 14:05:59 +0000 (10:05 -0400)]
hardening: Use __secure_getenv() in *addition* to _dbus_check_setuid()
This is a further security measure for the case of Linux/glibc
when we're linked into a binary that's using filesystem capabilities
or SELinux domain transitions (i.e. not plain old setuid).
In this case, _dbus_getenv () will return NULL because it will
use __secure_getenv(), which handles those via AT_SECURE.
Colin Walters [Fri, 28 Sep 2012 01:29:29 +0000 (21:29 -0400)]
hardening: Use __secure_getenv if available
This helps us in the case where we were executed via filesystem
capabilities or a SELinux domain transition, not necessarily a plain
old setuid binary.
Colin Walters [Wed, 22 Aug 2012 14:03:34 +0000 (10:03 -0400)]
CVE-2012-3524: Don't access environment variables or run dbus-launch when setuid
This matches a corresponding change in GLib. See
glib/gutils.c:g_check_setuid().
Some programs attempt to use libdbus when setuid; notably the X.org
server is shipped in such a configuration. libdbus never had an
explicit policy about its use in setuid programs.
I'm not sure whether we should advertise such support. However, given
that there are real-world programs that do this currently, we can make
them safer with not too much effort.
Better to fix a problem caused by an interaction between two
components in *both* places if possible.
How to determine whether or not we're running in a privilege-escalated
path is operating system specific. Note that GTK+'s code to check
euid versus uid worked historically on Unix, more modern systems have
filesystem capabilities and SELinux domain transitions, neither of
which are captured by the uid comparison.
On Linux/glibc, the way this works is that the kernel sets an
AT_SECURE flag in the ELF auxiliary vector, and glibc looks for it on
startup. If found, then glibc sets a public-but-undocumented
__libc_enable_secure variable which we can use. Unfortunately, while
it *previously* worked to check this variable, a combination of newer
binutils and RPM break it:
http://www.openwall.com/lists/owl-dev/2012/08/14/1
So for now on Linux/glibc, we fall back to the historical Unix version
until we get glibc fixed.
On some BSD variants, there is a issetugid() function. On other Unix
variants, we fall back to what GTK+ has been doing.
Reported-by: Sebastian Krahmer <krahmer@suse.de> Signed-off-by: Colin Walters <walters@verbum.org>
projects / thirdparty / dbus.git / log
