Bug 1217191

Summary: AUDIT-WHITELIST: kde-inotify-survey: new revision of D-Bus service org.kde.kded.inotify.service
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: AuditsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: christophe, opensuse-kde-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1217076    

Description Matthias Gerstner 2023-11-15 13:18:13 UTC 
+++ This bug was initially created as a clone of Bug #1217076

Sub bug for a bunch of new D-Bus services in KDE6.

Package is found in KDE:Unstable:Applications/kde-inotify-survey.

E: dbus-file-digest-mismatch (Badness: 10) /usr/share/dbus-1/system- services/org.kde.kded.inotify.service expected sha256:89a2ce5a4c6ebd7cb471f820a28fbd2dd418e377cb2ed0eaea1af59840c1dabd, has:e56b75bc5cbaa9e4dfb5829dcb5c0d5d871c0533076b83ea2c0f363c00318ad4
E: dbus-file-digest-mismatch (Badness: 10) /usr/share/dbus-1/system.d/org.kde.kded.inotify.conf expected sha256:4eb68f2c3bc75842df0f3d67874588fc672ec540769db09c3a71cbb292a989f7, has:1bf419225b109ad681d7bce85dcb82694b7bb56e336cf9c0e0f86318d18aca8f
Comment 1 Matthias Gerstner 2023-11-28 11:33:33 UTC 
I will work on this
Comment 2 Matthias Gerstner 2023-11-28 14:29:50 UTC 
The codebase for this is really small. It is mostly read-only: walking through
all pids in /proc and gather their inotify FD use counts. This information is
imperfect but that's okay for the purpose of the tool.

The only place where something privileged happens is when the system wide
inotify limits are changed. For this sysctl drop-in configuration files are
placed in /etc/sysctl.d. This part also looks sane.

I reviewed upstream commit 4d26650. We will keep this bug open and when the
KDE6 release is drawing near I will do a follow-up review of any changes
introduced till then.
Comment 3 Matthias Gerstner 2024-02-21 14:50:39 UTC 
So far I've only seen a Factory staging incident for KDE:Frameworks. This here
is for KDE:Applications. Do you also need the whitelisting for this here now
already?
Comment 4 Christophe Marin 2024-02-21 15:13:13 UTC 
(In reply to Matthias Gerstner from comment #3)
> So far I've only seen a Factory staging incident for KDE:Frameworks. This
> here
> is for KDE:Applications. Do you also need the whitelisting for this here now
> already?

I'd say yes. I'm working on final changes for packages that will be soon in KDE:Applications

the current RC package that will be submitted to this repo is in my branch: https://build.opensuse.org/package/show/home:krop:applications-24.01.95/kde-inotify-survey

Nothing should have changed since the review
Comment 5 Matthias Gerstner 2024-02-22 11:16:32 UTC 
I can confirm that in the upstream Git repository mostly only i18n noise
happened. I will prepare the whitelisting then.
Comment 6 Matthias Gerstner 2024-02-22 13:10:06 UTC 
The package name actually stayed the same for kde-inotify-survey. But the
contents of the D-Bus configuration files changed as follows:

--- /usr/share/dbus-1/system-services/org.kde.kded.inotify.service
2024-02-03 03:23:17.000000000 +0100
+++ ./usr/share/dbus-1/system-services/org.kde.kded.inotify.service
2024-02-20 00:48:35.000000000 +0100
@@ -1,4 +1,4 @@
 [D-BUS Service]
 Name=org.kde.kded.inotify
-Exec=/usr/libexec/kauth/kded-inotify-helper
+Exec=/usr/libexec/kf6/kauth/kded-inotify-helper
 User=root

--- /usr/share/dbus-1/system.d/org.kde.kded.inotify.conf        2024-02-03
03:23:17.000000000 +0100
+++ ./usr/share/dbus-1/system.d/org.kde.kded.inotify.conf       2024-02-20
00:48:35.000000000 +0100
@@ -7,5 +7,9 @@
   <policy user="root">
     <allow own="org.kde.kded.inotify"/>
   </policy>
-
+
+  <policy context="default">
+    <allow send_destination="*"/>
+  </policy>
+
 </busconfig>

The latter is not right. This is too open and might affect also other D-Bus
services. Usually this says something like
'<allow send_destination="org.kde.kded.inotify"/>'.

I've overlooked this in the other whitelistings for KDE6. They all use this
new pattern. The reason is found in kauth:

https://invent.kde.org/frameworks/kauth/-/commit/d7916401a335d3a71d617333a471d3c5f20d5cf5

I still have to check the impact of that misconfiguration. If such D-Bus
configuration files from KDE are already used in production somewhere then
this might be CVE material.
Comment 7 Matthias Gerstner 2024-02-22 14:08:53 UTC 
(In reply to matthias.gerstner@suse.com from comment #6)
> I still have to check the impact of that misconfiguration. If such D-Bus
> configuration files from KDE are already used in production somewhere then
> this might be CVE material.

I just confirmed that this indeed has a global effect on other D-Bus services.
The details are complex, because the dbus-daemon builds a global configuration
out of all the *.conf snippets found in the directory. I could reproduce it
against our tpm2.0-abrmd package, though. This ships a service that should
only be reachable by "root" or the "tss" user. Once the kde inotify
configuration file is installed, anybody can talk to the tpm-abrmd though.

Filippo, my colleague, digged out the upstream MR# that lead to this commit:

https://invent.kde.org/frameworks/kauth/-/merge_requests/44

There "Marc Deop i Argemí" even suggested the right thing to do, what is
recommended in the D-Bus documentation, but it wasn't done.

We need to involve KDE security with this. This needs to be fixed ASAP. It
also means that we have to touch all the KDE6 whitelistings we already made
_again_. *sigh*.
Comment 8 Matthias Gerstner 2024-02-28 11:10:56 UTC 
After the fixes in Kauth the whitelisting for inotify is now also in place.