From owner-freebsd-security@FreeBSD.ORG Wed Aug 28 12:10:38 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 10A20A9F; Wed, 28 Aug 2013 12:10:38 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id D5E18222C; Wed, 28 Aug 2013 12:10:32 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id PAA08882; Wed, 28 Aug 2013 15:10:30 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1VEeZy-000OS2-7U; Wed, 28 Aug 2013 15:10:30 +0300 Message-ID: <521DE891.9070107@FreeBSD.org> Date: Wed, 28 Aug 2013 15:09:53 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130810 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-emulation@FreeBSD.org, freebsd-gnome@FreeBSD.org Subject: Re: [kde-freebsd] virtualbox file dialog problem References: <51E6B030.1080009@FreeBSD.org> <51E793DB.2020607@FreeBSD.org> In-Reply-To: <51E793DB.2020607@FreeBSD.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 28 Aug 2013 12:18:57 +0000 Cc: Greg Rivers , freebsd-standards@FreeBSD.org, kde@FreeBSD.org, freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Aug 2013 12:10:38 -0000 on 18/07/2013 10:06 Andriy Gapon said the following: > on 18/07/2013 03:25 Greg Rivers said the following: >> On Wed, 17 Jul 2013, Andriy Gapon wrote: >> >>> I run virtualbox in KDE environment. A while ago (can't say exactly when) I >>> started to have a problem where any file opening dialog would fail with this >>> message: "Cannot talk to klauncher: Not connected to D-Bus server" >>> >>> I found that setting KDE_FORK_SLAVES=1 in environment works around the problem. >> >> I reported this same problem in this[1] thread on freebsd-ports@. In that post >> I provided a link to a similar report for KDE on openSUSE that required a dbus >> patch to fix. >> >> I'm guessing that either the latest versions of VirtualBox have a bug in their >> dbus interface, or the version of dbus we have needs to be updated. >> >> [1] http://lists.freebsd.org/pipermail/freebsd-ports/2013-July/084783.html > > I saw those OpenSUSE reports but I think that they were against the much older > version of dbus. I have done some more investigation and the problems turns out to be dbus related indeed. The problem has only a tangential relation to KDE, so I plan to drop kde@ from this thread. It has a relation to what VirtualBox does, so I am keeping emulation@. It is related to dbus and gnome@ is its maintainer(s). It is also related to how issetugid(2) works, so I am including standards@, security@ and hackers@. So, please excuse me for such a wide distribution list, but I think that the solution should be negotiated among the parties involved. Now a description of the problem. 1. VirtualBox executable is installed setuid root. Apparently, when it is run it does some privileged things and then drops all of the uids and gids (real, effective and saved) back to what they should have been originally. VirtualBox does not do any (re-)exec of itself after the above manipulations. 2. issetugid(2) (which is apparently a BSD extension) on FreeBSD does not consider the above manipulations as sufficient to mark an executable as untainted. So it would return 1 for the VirtualBox process. 3. dbus code seems to impose some limitations on communication by such "tainted" processes. It has the following code: http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c#n4139 For web-impaired :) the gist is that on BSD systems the code uses issetugid but on other systems (like Linux) it uses getresuid and getresgid and checks that all 3 uids are the same and all 3 gids are the same. As a result, on FreeBSD the dbus code would consider the VirtualBox process tainted and that impairs its communication with KDE components. On systems without issetugid or those that implement it differently, dbus would work as for a normal process and all the communications are OK. I've also verified this conclusion by forcing dbus to use the alternative logic on FreeBSD. So, possible solutions: A. change how issetugid(2) works on FreeBSD; a comment in sys_issetugid hints that other BSDs may have different behaviors B. change VirtualBox to be friendly to FreeBSD issetugid(2) and exec itself after dropping the privileges C. patch dbus port to not use issetugid(2) D. something else What do you guys think? -- Andriy Gapon