Ubuntu
cups package

D-Bus Policy needs checking

Bug #318742 reported by Scott James Remnant (Canonical)
0
Affects Status Importance Assigned to Milestone
CUPS
New
Undecided
Unassigned
cups (Debian)
Fix Released
Unknown
Nominated for Squeeze by Martin Pitt
cups (Ubuntu)
Fix Released
Low
Martin Pitt
Jaunty
Fix Released
Low
Martin Pitt

Bug Description

cups builds one or more binary packages that contain D-Bus system
bus services. The following were detected:

  net/cups etc/dbus-1/system.d/cups.conf

The D-Bus policy needs checking!

It was discovered that the default policy of the D-Bus system bus was
not as was expected, due to a quirk of the language. In fact, whereas
the default policy was supposed to have been that messages would not be
allowed by default, the default was in fact that messages _were_
allowed!

CVE-2008-4311 was issued, and a new release of D-Bus was updated to
correct the default policy to be deny-by-default.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4311

It was quickly discovered that the policy files shipped by most services
no longer worked, and that many were (inadvertently, perhaps) relying on
the misconfiguration of the daemon.

A new version of D-Bus has been uploaded to jaunty co correct this.

Please read the following carefully to assist with updating the
configuration.

The default policy of the D-Bus system bus is:

 - Name ownership is DENIED by default.

 - Method calls are DENIED by default.

 - Replies to method calls, including errors, are PERMITTED by default.

 - Signals are PERMITTED by default.

Therefore each service MUST, in its policy configuration:

 - Permit an appropriate user to own the name it wishes to claim:

        <policy user="example">
            <allow own="com.ubuntu.Example" />
        </policy>

 - Allow method calls to be made on objects it exports, for particular
   users. This may be done in a number of different ways.

   You may simply allow all method calls to your claimed name:

        <policy context="default">
            <allow send_destination="com.ubuntu.example" />
        </policy>

   You may allow method calls to particular interfaces you export,
   especially useful if you have privileged and non-privileged
   interfaces:

        <policy context="default">
            <allow send_destination="com.ubuntu.example"
                   send_interface="com.ubuntu.Example" />
        </policy>

        <policy user="root">
            <allow send_destination="com.ubuntu.example"
                   send_interface="com.ubuntu.Example.System" />
        </policy>

    *IMPORTANT* you MUST include send_destination on ALL allow or deny
    tags. Omitting it is a SERIOUS bug!

                <!-- !! SERIOUS BUG !! -->
                <allow send_interface="x.y.z" />

        This allows any service to receive method calls of the given
        interface, not just your own service!

        It also implicitly allows any service to receive method calls
        with no interface specified, in case they match this interface!

        Using the above means you are potentially allowing exploiting of
        a different service. DO NOT DO IT!

                <!-- !! SERIOUS BUG !! -->
                <deny send_interface="x.y.z" />

        This denies all services from receiving method calls of the
        given interface, not just your own service! It also implicitly
        denies all services from receiving method calls with no
        interface specified. DO NOT DO IT!

 - You must allow standard interfaces as well, such as Introspection and
   Properties:

        <policy context="default">
            <allow send_destination="com.ubuntu.example"
                   send_interface="org.freedesktop.DBus.Introspectable" />
            <allow send_destination="com.ubuntu.example"
                   send_interface="org.freedesktop.DBus.Properties" />
        </policy>

 - You should not normally allow receipt of any messages sent from your
   interface, this is also the default.

   (ie. remove any lines of the form <allow receive_*>)

 - You do not normally need to deny any messages, this is the default.

   (ie. remove any lines of the form <deny...>)

You should fully test the service with the new D-Bus after updating the
policy, you'll need to restart the bus daemon for that (it's probably
easier to reboot).

If messages are being denied, it will be logged in /var/log/auth.log as
follows:

Dec 19 14:17:53 space-ghost dbus: Rejected send message, 1 matched
rules; type="method_return", sender=":1.26" (uid=0 pid=2966
comm="/usr/libexec/nm-dispatcher.action ") interface="(unset)"
member="(unset)" error name="(unset)" requested
_reply=0 destination=":1.18" (uid=0 pid=2806 comm="NetworkManager
--pid-file=/var/run/NetworkManager/"))

Be aware that a denied message may still happen if you have other
invalid policy installed (such as those which don't qualify allow/deny
rules with the destination!). Take the opportunity to fix all you see.

Tags: dbus-policy
Revision history for this message
Scott James Remnant (Canonical) (canonical-scott) wrote :

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510633

Bug Watch Updater (bug-watch-updater)
Changed in cups:
status: Unknown → Fix Released
status: Unknown → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

I'll fix that in the Debian trunk. Removing the invalid bug link.

Changed in cups (Ubuntu):
assignee: nobody → pitti
status: New → In Progress
Changed in cups (Debian):
importance: Unknown → Undecided
status: Fix Released → New
Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thanks for the report, Martin is going to take care of it, assign it to him. Thanks all.

Changed in cups (Ubuntu):
importance: Undecided → Low
status: In Progress → Triaged
Revision history for this message
Martin Pitt (pitti) wrote :

I'll send it to upstream once I have it.

Changed in cups:
importance: Unknown → Undecided
status: Fix Released → New
Changed in cups (Debian):
assignee: nobody → pitti
status: New → In Progress
Pedro Villavicencio (pedro)
Changed in cups (Ubuntu):
status: Triaged → In Progress
Martin Pitt (pitti)
Changed in cups (Debian):
assignee: pitti → nobody
importance: Undecided → Unknown
status: In Progress → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in cups:
status: Unknown → New
Revision history for this message
Martin Pitt (pitti) wrote :

Since all cupsd does is to send signals, which are allowed by default, I'll just remove the configuration file entirely.

Changed in cups (Ubuntu Jaunty):
status: In Progress → Fix Committed
Revision history for this message
Scott James Remnant (Canonical) (canonical-scott) wrote :

As just discussed via e-mail, this is wrong

Changed in cups (Ubuntu Jaunty):
status: Fix Committed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Can you please be more specific? I just replied to the Debian bug.

Revision history for this message
Martin Pitt (pitti) wrote :

Setting back to incomplete. I won't upload bzr trunk for now, until it's clearer how to proceed here.

I tested printer and print job handling without the current d-bus file (which is broken anyway), and it works just fine.

Changed in cups (Ubuntu Jaunty):
status: In Progress → Incomplete
Revision history for this message
Martin Pitt (pitti) wrote :

This was discussed further on IRC yesterday, and with cups' current architecture there is no more sensible way of writing a policy.

Changed in cups (Ubuntu Jaunty):
status: Incomplete → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.3.9-16

---------------
cups (1.3.9-16) unstable; urgency=low

  [ Till Kamppeter ]
  * debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Fixed
    corruption of output when generating mmultiple copies of EOG or GIMP
    output files (LP: #345183).
  * debian/cups.postinst: Silenced non-fatal error messages when
    post-instyall script updates PPDs and there are PPDs not belonging to
    a CUPS queue in /etc/cups/ppd/ (LP: #345866).

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Drop 'm' permission for /etc/passwd and
    friends, which was a workaround for a kernel apparmor bug on i386. This is
    fixed in current kernels. Thanks to Kees Cook for pointing this out!
    (LP: #270663)
  * debian/cups.install: Do not install the unnecessary (and broken) D-BUS
    configuration file any more. All cupsd does is to send signals, which are
    allowed by default. It does not provide any D-BUS service right now. Also
    remove the obsolete file on upgrades in debian/cups.preinst.
    (Closes: #510634, LP: #318742)
  * Add logfiles_adm_readable.dpatch: Make log files readable by group "adm".
    (LP: #345953)
  * debian/changelog: Fix cruft at the end of file.
  * debian/local/apparmor-profile: Explicitly deny access to /dev/tty and
    writing access to /etc/krb5.conf, so that accesses to them do not create
    log spewage. (LP: #348556)

 -- Martin Pitt <email address hidden> Fri, 27 Mar 2009 09:35:56 +0100

Changed in cups (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in cups (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.