[Pkg-utopia-maintainers] Bug#818362: dbus ignores the configured auth_timeout

Thu Mar 17 11:47:06 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Simon,

On 03/16/16 15:52, Simon McVittie wrote:
> On Wed, 16 Mar 2016 at 14:11:12 +0100, Harald Dunkel wrote:
> 
>> How can I increase the timeout to enable booting a handful of LXC containers in parallel?
> 
> Create /etc/dbus-1/system-local.conf containing:
> 
> <busconfig> <limit name="auth_timeout">123456</limit> </busconfig>
> 
> The value is in milliseconds, adjust as required.
> 

I will try.

> How many LXC containers are you booting, on what hardware, and what service is connecting to the system bus and getting rejected?

My test case is 31 containers on a quad core (+ht) Xeon E5420 CPU.
The production machine is a 2 * 6core (+ht) Xeon E5-2630 running
about 20 containers. On both hosts it can take 5 or 10 minutes until
the last container gets its IP address via network (DHCP).

The service that apparently cannot connect is sssd. The containers
are started, but on some nss is broken.

> It would be better if you could avoid having to raise this limit too high. The limit was added to resolve CVE-2014-3639, a denial of service vulnerability: with a high or infinite authentication timeout, a uid (let's say alice) can prevent another uid (let's say bob) from connecting to the
> system bus, by opening enough connections to fill all the unauthenticated connection slots (by default 64 connections) and not making any attempt to authenticate themselves.

Wouldn't you agree that a high watermark on the number of used
connection slots to enable the timeout restriction would have been
a better choice?

> 
> You might be able to mitigate this by increasing the max_incomplete_connections limit. By default the system dbus-daemon will support up to 64 incomplete (unauthenticated) connections, up to 256 authenticated connections per uid (max_connections_per_user), and up to 2048 authenticated
> connections in total (max_completed_connections).
> 
> In general we can't tell whose a connection is until it has authenticated, but on Linux with the default system bus configuration we can, so in newer upstream versions we might be able to mitigate this sort of thing by making uid 0 immune to these limits. Would that solve this for you?
> 

Probably its reasonable to ignore the timeout for uid0, but surely it
will take some time till this change appears in a future Debian release.
I am still struggling to replace the old Squeeze hosts nobody likes to
give up. They worked too well.

Thanx very much for your detailed description. This was very helpful.

Regards
Harri

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJW6pk5AAoJEAqeKp5m04HLUEgH/A3pWE2K5R6n75KN4cdh5fBJ
qvcVRiEA/rG29eKjbYNLaMsdIXmOq+oFHxngV+Mac98JbKwzHyWh5SrJNuxuZVYt
70GrL5jZNMnRGeK+zR5CvMAX8rhVgPYRCeRLgyqFJVDMhP3Dj3tGEYVk078PXROH
Hu/WrkqRpm6CYMR8DzsyqIYl9tQnTPFE/YVDBwA4gH69IFD8VS5S43i7GthX1/mo
Ls5j6KDSA53dTRAP1HtS0Yy75sl1aVYBYbUlkw+u9jRuzEhKAlj3lLHKh9iuDc0W
xauM0jEk7Xj+i5mP+1JXzZBDsg/cArh+GzvUIr4dSb+dz1o4Iso3rykyIgYyFVg=
=4RWX
-----END PGP SIGNATURE-----