Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Sep 2016 11:53:53 +0200
From: Sebastian Krahmer <krahmer@...e.com>
To: oss-security@...ts.openwall.com
Cc: matt@...uxbox.com, philippe.deniel@....fr
Subject: nfsd-ganesha allows anyone to call into DBUS?

Hi

The nfs-ganesha (userspace nfsd) offers a dbus API to control/admin
the nfsd via cmdline tools and some qt+python code.

The default dbus config seems to allow anyone to connect to
it and invoke methods. The code at least does not check any polkit
authorizations or dbus sender (at a first look). Am I missing something? If I dont,
the DBUS API should be declared experimental and disabled by default,
since there are some methods which would allow users to gain root.

https://github.com/nfs-ganesha/nfs-ganesha/
https://github.com/nfs-ganesha/nfs-ganesha/wiki/Dbusinterface

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.com - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ