oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

nfsd-ganesha allows anyone to call into DBUS?

From: Sebastian Krahmer <krahmer () suse com>
Date: Mon, 12 Sep 2016 11:53:53 +0200
Hi

The nfs-ganesha (userspace nfsd) offers a dbus API to control/admin
the nfsd via cmdline tools and some qt+python code.

The default dbus config seems to allow anyone to connect to
it and invoke methods. The code at least does not check any polkit
authorizations or dbus sender (at a first look). Am I missing something? If I dont,
the DBUS API should be declared experimental and disabled by default,
since there are some methods which would allow users to gain root.

https://github.com/nfs-ganesha/nfs-ganesha/
https://github.com/nfs-ganesha/nfs-ganesha/wiki/Dbusinterface

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse com - SuSE Security Team
Previous By Date Next
Previous By Thread Next

Current thread: