Bug 177880

Summary: User crashes system dbus with red hat example
Product: [Fedora] Fedora Reporter: Nick Lamb <njl>
Component: dbusAssignee: David Zeuthen <davidz>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: mclasen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-05 21:01:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Crash system dbus as a user. none

Description Nick Lamb 2006-01-16 02:25:53 UTC 
Description of problem:

The example provided for manipulating BIND (named) with dbus crashes the system
message bus. This is both a crash and an example of elevated privilege (users
should not have enough privileges to crash system daemons), hence severity
SECURITY. The socket used to contact the messagebus is world writeable, so
anyone with user privileges can potentially crash the bus.

Version-Release number of selected component (if applicable):

dbus 0.33-3.fc4.1
bind 9.3.1-14_FC4

How reproducible:

Happens every time on this machine.

Steps to Reproduce:
1. As an ordinary user run the command

dbus-send --system --type=method_call --print-reply --dest=com.redhat.named
/foo/bar/baz foo.bar.baz

This command is simplified from the example provided in README.DBUS with the
Fedora Core BIND 9.3.1 documentation, which has the same results.

Actual results:

System dbus-daemon crashes, if it is run with --nofork to capture errors, the
output is:

2879: assertion failed "table->key_type == DBUS_HASH_STRING" file "dbus-hash.c"
line 1269 function _dbus_hash_table_remove_string
Aborted

Expected results:

dbus-daemon should not crash.
Comment 1 Andreas Øye 2006-06-02 08:24:16 UTC 
Created attachment 130385 [details]
Crash system dbus as a user. 

Loosely based on
http://blognote-info.com/index.php?2006/03/31/387-notification-framework
and changed in a misguided attempt by me to use the systembus. :-)
Comment 2 Christian Iseli 2007-01-20 00:55:21 UTC 
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 3 Nick Lamb 2007-11-05 21:01:39 UTC 
I am the original reporter.

Seems to be fixed in Fedora 7 which I'm running here. So marking resolved
WORKSFORME. Please change this if there is a better resolution for bugs that are
now fixed but the fix isn't specifically known.