scox.info - Random Thoughts - HAL http://scox.info/ en Tue, 06 Jan 2009 23:47:29 +0100 http://blogs.law.harvard.edu/tech/rss Dotclear Using D-Bus from setuid applications http://scox.info/post/2007/8/25/using-dbus-from-setuid-applications urn:md5:7096cfdf61cec980749d348fba4c8ca1 Sat, 25 Aug 2007 15:00:00 +0000 scox code DBUSHAL <p>When trying to connect to the system bus from a setuid application, D-Bus throws back the following error:</p> <blockquote> <p>Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.</p> </blockquote><p>After some debugging, I found that the problem is a bug in the D-Bus EXTERNAL authentication method: the library sends the real UID while the daemon checks the effective UID, which of course doesn't work at all in setuid applications.</p> <p>I filed a <a href="https://bugs.freedesktop.org/show_bug.cgi?id=11876">bug report</a> in the <a href="https://bugs.freedesktop.org/show_bug.cgi?id=11876">Freedesktop Bugzilla</a> and provideda <a href="https://bugs.freedesktop.org/attachment.cgi?id=11021">patch</a> which is yet to be merged.</p> <p>In the meantime, if you need to use D-Bus in a setuid application, the following code might help:</p> <pre><code>DBusConnection *my_dbus_bus_get(DBusBusType type, DBusError *error)<br />{<br /> DBusConnection *bus = NULL;<br /><br /> if (!(bus = dbus_bus_get(type, error)))<br /> {<br /> /* The connection to the BUS failed, we now check<br /> * if we are running as setuid. */<br /> uid_t ruid;<br /> uid_t euid;<br /><br /> if (!(euid = geteuid()) &amp;&amp; (ruid = getuid()))<br /> {<br /> /* In that case, we temporary change our<br /> * real uid to the effective uid and try again */<br /> dbus_error_free(error);<br /> setreuid(euid, euid);<br /> bus = dbus_bus_get(type, error);<br /> setreuid(ruid, euid);<br /> }<br /> }<br /> return bus;<br />}</code></pre><p>This workaround is a function you'll have to call instead of the regular <em>dbus_bus_get()</em>. In case the connection fails and it's running on a setuid application, it will change the real UID to match the effective UID so the authentication process will succeed, make a connection to D-Bus and restore everything back.</p> http://scox.info/post/2007/8/25/using-dbus-from-setuid-applications#comment-form http://scox.info/post/2007/8/25/using-dbus-from-setuid-applications#comment-form http://scox.info/feed/rss2/comments/4