Bugzilla – Bug 1076467
AUDIT-0: libratbag: suse-dbus-unauthorized-service
Last modified: 2022-06-22 09:25:37 UTC
The new libratbag update (package /hardware/libratbag) gained a new D-Bus service, and openSUSE:Factory rpmlint warns about it. [ 65s] libratbag-tools.x86_64: E: suse-dbus-unauthorized-service (Badness: 10000) /usr/share/dbus-1/system-services/org.freedesktop.ratbag1.service [ 65s] The package installs a DBUS system service file. If the package is intended [ 65s] for inclusion in any SUSE product please open a bug report to request review [ 65s] of the service by the security team. [ 65s] [ 65s] (none): E: badness 10000 exceeds threshold 1000, aborting. [ 65s] 4 packages and 0 specfiles checked; 1 errors, 4 warnings.
I will take this review.
A quick note for the start: The `ratbagctl` utility requires python-evdev which is currently not packaged for openSUSE. I've installed it locally after installing 'python3-devel': $ pip install evdev --user
I'm mostly finished with this audit. Sadly I can't accept the version 0.9.900 that you've packaged. It contains multiple security issues: - a stack buffer overflow not handled in ratbagd/ratbagd-device.c:179 which can be triggered via the following command line: > dbus-send --system --print-reply --dest=org.freedesktop.ratbag1 \ > /org/freedesktop/ratbag1/device/test_5fdevice \ > org.freedesktop.ratbag1.Device.GetSvg \ > string:`python3 -c "print('a'*5000)"` fixed by upstream commit 89aff23c - multiple D-Bus calls cause a three byte stack overwrite and result in a SEGFAULT fixed by upstream commit cbcdc4b72477aee5d98cbee43c9528d2fbc741ab - ratbagd_button_set_key() D-Bus callback allows a stack buffer overflow was completely removed in upstream commits afaf3fa83ddeeffce6a911225f7170afeba71be5 and 77847f570ce6ce9d3ed8d66cd0e47d4f5682bbeb The good news is that all of these issues are already fixed in the available upstream release 0.9.901. Also the general code quality of libratbag is good, despite the issues found above. So can you please package version 0.9.901 and give me an update? I will then do a quick follow-up review of the new version.
Apart from the security perspective some thoughts about the package: - as noted in comment 1 the ratbagctl script doesn't work currently due to the missing python-evdev module. - it might be worth a thought to package the dbus service ratbagd in a separate subpackage. - the ratbagd binary currently only works when executed by the root user. So placing it in /usr/sbin would actually make more sense than in /usr/bin.
One more thing about the D-Bus security of ratbagd: What I don't like is that every user with access to the D-Bus system bus can issue arbitrary commands without further verification. I understand that from a usability perspective the user should be able to configure the mice easily. Still the available commands like modifying mouse resolution etc. make it possible to kind of DoS a daemon running as root. Since this goes down to the USB hardware there will also be some kernel code that is accessible to regular users. To improve the situation it would be better to only allows members of a certain group e.g. "games" to be allowed talking to ratbagd. To achieve this the D-Bus configuration file "org.freedesktop.ratbag1.conf" would need to be adjusted. Instead of the line '<policy context="default">' we would need '<policy group="games">'. Do you think you can patch the configuration accordingly? I could try to make an upstream pull request that allows build time configuration of the policy. This would make packaging easier for the next releases of libratbag.
I've managed to get this commit merge into the upstream project: https://github.com/libratbag/libratbag/commit/6c182b8e9bb191dae8d308873732c860041f0719 When you backport this patch into the most recent libratbag release you can simply pass '-Ddbus-group=games' to meson.
>What I don't like is that every user with access to the D-Bus system bus can issue arbitrary commands without further verification. Can we make it such that only local users get that permissions?
(In reply to jengelh@inai.de from comment #7) > Can we make it such that only local users get that permissions? That would be acceptible security wise. However D-Bus on itself doesn't support such a policy. There is 'at_console' but it is deprecated. libratbag would need to implement polkit for this to work which is not currently the case. Also see here: https://lintian.debian.org/tags/dbus-policy-at-console.html
Thanks for the review. But it seems now something is completely messed up in ratbag itself. Were you actually able to start it at all in your review? Because I am not. 12:57 zap:~ > ratbagd ratbagd error: Failed to start ratbagd: Permission denied 12:57 zap:~ > su1 12:57 zap:/home/jengelh # ratbagd ratbagd error: Failed to start ratbagd: Permission denied
Yes I was able to start it. It will only run as root. But that should work. Maybe something wrong with the permissions? Check `ls -l /usr/bin/ratbagd`. Otherwise look at what `strace -f ratbagd` shows.
I wanted to take a look at this package. Sadly I can't find it anywhere but in Leap 42.2 and 42.3. If you could provide me with a link to the devel project this would be highly appreciated.
All that OBS tells me is $ sosc log -D hardware/libratbag ---------------------------------------------------------------------------- r20 | scarabeus_iv | 2018-03-19 12:15:42 | 1284455f3ff6d1b2c8e891985f9d13aa | unknown | 1 Given that openSUSE:Factory log entries look like ---------------------------------------------------------------------------- r5 | dimstar_suse | 2018-02-13 09:28:29 | 354726eb0292306cbd7290a0a9f779fe | 0.9 | rq573927 ftbfs; daemon startup is broken too this suggests that the package was deleted from the hardware project without a proper request. (Has opensuse come that far already?!)
(In reply to Jan Engelhardt from comment #12) > All that OBS tells me is > > > $ sosc log -D hardware/libratbag > ---------------------------------------------------------------------------- > r20 | scarabeus_iv | 2018-03-19 12:15:42 | 1284455f3ff6d1b2c8e891985f9d13aa > | unknown | > > 1 > > > Given that openSUSE:Factory log entries look like > > > ---------------------------------------------------------------------------- > r5 | dimstar_suse | 2018-02-13 09:28:29 | 354726eb0292306cbd7290a0a9f779fe | > 0.9 | rq573927 > > ftbfs; daemon startup is broken too > > > this suggests that the package was deleted from the hardware project without > a proper request. > > (Has opensuse come that far already?!) Since the package was broken in hardware repo for >1month I just deleted the package. There were 40 packages unresolvable or broken in the harware project, I can't hand review all of them, I checked history of commits and if there was no activity for > 60 days and the package was not in tumbleweed it was pruned. You can restore the package quite easily and make it work.
Jan, I'm assigning this bug to you, since there is nothing I can do at the moment. You may close the bug if you don't have time for it.
FYI, I have recovered the package, cleaned it up a little and requested re-addition to the hardware project: https://build.opensuse.org/request/show/621956.
The package has been re-accepted into the hardware project. It would be cool if you could pick up the review process again, Matthias. BTW: I have split the daemon into a separate package as you suggested earlier.
(In reply to marix@marix.org from comment #16) > The package has been re-accepted into the hardware project. It would be cool > if you could pick up the review process again, Matthias. > > BTW: I have split the daemon into a separate package as you suggested earlier. Thank you very much for taking care of this. Well we have the new upstream version containing the bugfixes. Only members of the group games can access the service. Looks good to me. I will take care of the whitelisting. There is still a functional issue: The package doesn't create the group "games" so I had to create that group manually. You should add some logic to the spec file to handle that. You can look in other game packages like rocksndiamonds or crawl that do something similar.
The whitelisting is on the way via sr#624309 Please refer to the explanations in the wiki: https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_whitelisting for more information about when the whitelisting will become active.
This is an autogenerated message for OBS integration: This bug (1076467) was mentioned in https://build.opensuse.org/request/show/627184 Factory / libratbag
SUSE-RU-2019:0097-1: An update that has 14 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975 CVE References: Sources used: SUSE Linux Enterprise Module for Development Tools 15 (src): rpmlint-1.10-7.3.1, rpmlint-mini-1.10-5.2.1
openSUSE-RU-2019:0059-1: An update that has 14 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1015141,1076467,1089114,1089340,1095769,1097339,1102836,1104110,1108037,1109938,1111254,1116686,1116758,1119975 CVE References: Sources used: openSUSE Leap 15.0 (src): rpmlint-1.10-lp150.6.3.1, rpmlint-mini-1.10-lp150.4.3.1