From owner-freebsd-security@FreeBSD.ORG  Wed Sep 26 12:16:18 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 237331065673
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 12:16:18 +0000 (UTC)
	(envelope-from david@catwhisker.org)
Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73])
	by mx1.freebsd.org (Postfix) with ESMTP id E697A8FC14
	for <freebsd-security@freebsd.org>;
	Wed, 26 Sep 2012 12:16:17 +0000 (UTC)
Received: from albert.catwhisker.org (localhost [127.0.0.1])
	by albert.catwhisker.org (8.14.5/8.14.5) with ESMTP id q8QCGGPc002033; 
	Wed, 26 Sep 2012 05:16:16 -0700 (PDT)
	(envelope-from david@albert.catwhisker.org)
Received: (from david@localhost)
	by albert.catwhisker.org (8.14.5/8.14.5/Submit) id q8QCGGU7002032;
	Wed, 26 Sep 2012 05:16:16 -0700 (PDT) (envelope-from david)
Date: Wed, 26 Sep 2012 05:16:16 -0700
From: David Wolfskill <david@catwhisker.org>
To: moused86799 <mousedz23499@workoblue.33mail.com>
Message-ID: <20120926121616.GA1645@albert.catwhisker.org>
References: <1348634420023-5746974.post@n5.nabble.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN"
Content-Disposition: inline
In-Reply-To: <1348634420023-5746974.post@n5.nabble.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-security@freebsd.org
Subject: Re: Vulnerability - moused dependency on dbus-daemon - how to get
 rid of DBUS?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 12:16:18 -0000


--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 25, 2012 at 09:40:20PM -0700, moused86799 wrote:
> one way of attacking the OS
> 1.search the lists
> http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241042.html
> 2.)mouse intermittent works if problem with dbus-daemon
> 3.)analyze - dbus-daemon is a 'relatively unknown' and extra DEPENDENCY
> of moused

Errr...  Perhaps in your configuration; perhaps also in (some) others'.
But moused is part of base FreeBSD, while dbus* is not.  So it is
certainly possible to run moused without dbus-daemon.

But as a somewhat more constructive demonstration:

g1-227(10.0-C)[1] ps axwwl | egrep 'moused|dbus'
   0 1461    1   0  20  0  10076  9840 select   Ss    -  0:00.10 /usr/sbin/=
moused -a 2.7 -p /dev/psm0 -t auto
1001 7579 1855   0  21  0  10148  9280 -        RL+   7  0:00.01 egrep mous=
ed|dbus
g1-227(10.0-C)[2]=20

That's from my laptop, running X.  While I have dbus-1.4.14_4 &
dbus-glib-0.94 installed (as they are listed as dependencies for
some other ports I have installed), I decline to use them.

> 4.)set kern.securelevel=3D333
> 5.)interrupt control of moused
> root /usr/sbin/moused -F 200 -A 1.5.2.0 -a 0.7 -r high -V -p /dev/psm0 -t
> auto
> 6.)alt to port /dev/psm0 - not completed

Errr... Everything you're doing there already requires eUID 0 access,
so I'm not sure what your concern really is.

> so, how can anything dbus be ELIMINATED from the OS?

g1-227(10.0-C)[8] grep dbus /etc/rc.conf*
g1-227(10.0-C)[9]=20

> ...
> question: how can dbus or dbus-daemon be eliminated from the basic OS
> configuration for a developer workstation?

Well, I believe my laptop is configured in a way that meets the
stated criteria.  (It has a local private mirror of the FreeBSD
src, ports, & doc SVN repositories, and I track stable/9 & head
on it, daily.)  About the only point that comes to mind that I
haven't already pointed out is the addition of a stanza:

Section "ServerFlags"
    Option         "AutoAddDevices" "False"
EndSection

to xorg.conf -- though there are other ways to accomplish that, as
well (IIRC).

Of course, I avoid these fancy "desktop environment" things; the
window manager I use descends rather directly from twm (and looks
like it), but it works for me (even though I know of only 2 other
folks who I have seen use it -- one of whom is my spouse).

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlBi8g8ACgkQmprOCmdXAD3dZQCgiMWFJVVgRDfJnPBTFJbt4NZX
B2AAn3eAbw4KSH49p9tpCTh9hu1lkqkj
=1KZu
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--