FS#65471 - [libqb] IPC communication fails due to wrong ownership if qb_ipcs_connection_auth_set() is used
Attached to Project:
Community Packages
Opened by Jonas Witschel (diabonas) - Wednesday, 12 February 2020, 15:27 GMT
Last edited by Jonas Witschel (diabonas) - Sunday, 23 May 2021, 14:19 GMT
Opened by Jonas Witschel (diabonas) - Wednesday, 12 February 2020, 15:27 GMT
Last edited by Jonas Witschel (diabonas) - Sunday, 23 May 2021, 14:19 GMT
|
Details
When the IPC server process runs as root, the temporary
directory it uses for communication is chowned to the user
and group of the IPC client process [1]. However if
qb_ipcs_connection_auth_set() [2] is used later on to change
the ownership of the IPC connection, the directory is not
chowned again, leading to wrong permissions as described in
the upstream bug report [3].
As a result, IPC communication in USBGuard between the systemd service running as root and the usbguard client binary run by non-root users is completely broken, see the upstream reports [4,5]. A pull request to fix the issue in libqb has been submitted and merged [6,7]. Since libqb is only used by USBGuard and USBGuard is directly affected by this bug, I suggest backporting commit dd22a1811f76f4e16d42de4d9f783abc345c3c17 [8] to libqb. Additional info: * libqb 1.0.5-1 * usbguard 0.7.5-2 Steps to reproduce: Install and start USBGuard, allow the current user to list devices: sudo pacman -S usbguard sudo systemctl start usbguard sudo usbguard add-user -d list $USER sudo systemctl restart usbguard Now the following command should work as $USER, but fails with "ERROR: IPC connect: service=usbguard: Permission denied": usbguard list-devices Running the command as root works as expected. After cherry-picking dd22a1811f76f4e16d42de4d9f783abc345c3c17, the command works as expected. [1] https://github.com/ClusterLabs/libqb/blob/d08dbcf08b0da418bce9b5427dfd89522916322a/lib/ipc_setup.c#L668 [2] https://github.com/ClusterLabs/libqb/blob/d08dbcf08b0da418bce9b5427dfd89522916322a/include/qb/qbipcs.h#L444 [3] https://github.com/ClusterLabs/libqb/issues/369 [4] https://github.com/USBGuard/usbguard/issues/289 [5] https://github.com/USBGuard/usbguard/issues/287 [6] https://github.com/ClusterLabs/libqb/pull/381 [7] https://github.com/ClusterLabs/libqb/pull/382 [8] https://github.com/ClusterLabs/libqb/commit/dd22a1811f76f4e16d42de4d9f783abc345c3c17 |
This task depends upon
Closed by Jonas Witschel (diabonas)
Sunday, 23 May 2021, 14:19 GMT
Reason for closing: Fixed
Additional comments about closing: libqb 2.0.3-1
Sunday, 23 May 2021, 14:19 GMT
Reason for closing: Fixed
Additional comments about closing: libqb 2.0.3-1
Some comments regarding the new libqb release:
- "--localstatedir=/var" must be added to the ./configure invocation, otherwise the test suite fails with "mkdir: cannot create directory ‘/usr/var’: Permission denied" in "start.test".
- The release is signed by the new PGP C5E29348A2B634E9F71B2014791890532CB5CDDE (libqb Release Signing Key <users@clusterlabs.org>), the old EA78541A2D92451106C8A1F7B67157F3A70D4537 (Christine Caulfield (Chrissie at work) <ccaulfie@redhat.com>) expired on 2020-01-25. Since the new key is not signed by the old one, no chain of trust can be established at the moment, I opened https://github.com/ClusterLabs/libqb/issues/398 upstream to hopefully get the new key signed by the old one.
For completeness, I have attached a patch containing the necessary changes to the PKGBUILD.
As for libqb 2.0.0 and later, you may want to enable systemd journal support with the `--enable-systemd-journal` configure option, although for some reason my local builds do not take this into account (is PKG_CHECK_MODULES failing to detect libsystemd?).