From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 28 22:13:20 2013 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 794C963B; Wed, 28 Aug 2013 22:13:20 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (unknown [IPv6:2001:610:1108:5012::107]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 207F62BB4; Wed, 28 Aug 2013 22:13:20 +0000 (UTC) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id 3CDF9120207; Thu, 29 Aug 2013 00:13:04 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id 20BF828494; Thu, 29 Aug 2013 00:13:04 +0200 (CEST) Date: Thu, 29 Aug 2013 00:13:04 +0200 From: Jilles Tjoelker To: Andriy Gapon Subject: Re: [kde-freebsd] virtualbox file dialog problem Message-ID: <20130828221303.GA53931@stack.nl> References: <51E6B030.1080009@FreeBSD.org> <51E793DB.2020607@FreeBSD.org> <521DE891.9070107@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <521DE891.9070107@FreeBSD.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Greg Rivers , kde@FreeBSD.org, freebsd-gnome@FreeBSD.org, freebsd-hackers@FreeBSD.org, freebsd-security@FreeBSD.org, freebsd-emulation@FreeBSD.org, freebsd-standards@FreeBSD.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Aug 2013 22:13:20 -0000 On Wed, Aug 28, 2013 at 03:09:53PM +0300, Andriy Gapon wrote: > on 18/07/2013 10:06 Andriy Gapon said the following: > > on 18/07/2013 03:25 Greg Rivers said the following: > >> On Wed, 17 Jul 2013, Andriy Gapon wrote: > >>> I run virtualbox in KDE environment. A while ago (can't say > >>> exactly when) I started to have a problem where any file opening > >>> dialog would fail with this message: "Cannot talk to klauncher: > >>> Not connected to D-Bus server" > >>> > >>> I found that setting KDE_FORK_SLAVES=1 in environment works around > >>> the problem. > >> > >> I reported this same problem in this[1] thread on freebsd-ports@. > >> In that post I provided a link to a similar report for KDE on > >> openSUSE that required a dbus patch to fix. > >> I'm guessing that either the latest versions of VirtualBox have a > >> bug in their dbus interface, or the version of dbus we have needs > >> to be updated. > >> [1] http://lists.freebsd.org/pipermail/freebsd-ports/2013-July/084783.html > > I saw those OpenSUSE reports but I think that they were against the > > much older version of dbus. > I have done some more investigation and the problems turns out to be dbus > related indeed. > The problem has only a tangential relation to KDE, so I plan to drop > kde@ from this thread. It has a relation to what VirtualBox does, so > I am keeping emulation@. It is related to dbus and gnome@ is its > maintainer(s). It is also related to how issetugid(2) works, so I am > including standards@, security@ and hackers@. So, please excuse me for > such a wide distribution list, but I think that the solution should be > negotiated among the parties involved. > Now a description of the problem. > 1. VirtualBox executable is installed setuid root. Apparently, when > it is run it does some privileged things and then drops all of the > uids and gids (real, effective and saved) back to what they should > have been originally. VirtualBox does not do any (re-)exec of itself > after the above manipulations. > 2. issetugid(2) (which is apparently a BSD extension) on FreeBSD does > not consider the above manipulations as sufficient to mark an > executable as untainted. So it would return 1 for the VirtualBox > process. The manipulations do not guarantee that all privileged information and descriptors are no longer in the process. Often, a process will acquire some privileged resource and then drop to user credentials; for example, a raw socket in ping(8). Also, calls like getpwuid() might leave privileged information in memory. > 3. dbus code seems to impose some limitations on communication by such > "tainted" processes. It has the following code: > http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c#n4139 > For web-impaired :) the gist is that on BSD systems the code uses > issetugid but on other systems (like Linux) it uses getresuid and > getresgid and checks that all 3 uids are the same and all 3 gids are > the same. > As a result, on FreeBSD the dbus code would consider the VirtualBox > process tainted and that impairs its communication with KDE > components. On systems without issetugid or those that implement it > differently, dbus would work as for a normal process and all the > communications are OK. > I've also verified this conclusion by forcing dbus to use the > alternative logic on FreeBSD. I think dbus is doing the right thing on BSD and the getresuid/getresgid-based check on Linux is a bug. This bug was reported on https://bugs.freedesktop.org/show_bug.cgi?id=52202 however it was decided not to fix the bug because gnome-keyring-daemon relies on it. The gnome-keyring-daemon obtains cap_ipc_lock privilege (capability in Linux terms) from the filesystem and needs untrusted environment variables to work. (Note that this also means that moving a program from setuid root to capabilities may decrease security, since dbus and glib no longer know to be careful.) > So, possible solutions: > A. change how issetugid(2) works on FreeBSD; a comment in > sys_issetugid hints that other BSDs may have different behaviors I think it works correctly. By the way, issetugid(2) man page appears a bit too focused on UIDs/GIDs. The implementation also sets the bit (and rightly so) if MAC causes a transition on execve(2) or if jail_attach(2) is called. > B. change VirtualBox to be friendly to FreeBSD issetugid(2) and exec itself > after dropping the privileges This would be good, but it may need invasive changes to VirtualBox that its developers do not want to make. > C. patch dbus port to not use issetugid(2) This may open up security holes. > D. something else Two ideas. Firstly, a hack in VirtualBox that subverts issetugid() or _dbus_check_setuid() somehow may be appropriate. This does not require invasive changes to VirtualBox, and if you want a secure system you do not install VirtualBox anyway. This subversion could be done by overwriting the code of issetugid() or by inserting a dummy implementation of issetugid() with FBSD_1.0 version before libc.so in the lookup order, for example. Secondly, if setting KDE_FORK_SLAVES=1 works around the problem, perhaps KDE should behave that way automatically if it is called from a process with issetugid() true. -- Jilles Tjoelker