%PDF- %PDF-
Direktori : /usr/share/doc/dbus/ |
Current File : //usr/share/doc/dbus/README.Debian |
Adjusting limits to mitigate denial of service ============================================== 'dbus-daemon --system' has several arbitrary limits which are a trade-off between working correctly when not under attack, and preventing local denial of service attacks. System administrators with particularly hostile local users should review these limits and tune them if necessary. In particular, the fix for CVE-2014-3639 in dbus-1.8.8 makes it difficult for local users to prevent connections completely, but they can still introduce a delay which increases with larger authentication timeout (auth_timeout) values, by opening many parallel connections from different processes and never completing the authentication handshake. As a result, dbus 1.8.8 also reduced the auth_timeout from 30 seconds to 5 seconds to mitigate this delay. However, this change resulted in boot failures on some systems because systemd could not authenticate sufficiently quickly while the system was busy, and was reverted in 1.8.12. On fast systems with hostile local users, administrators can reduce this delay by returning to the 5 second timeout (or any other value in milliseconds), by saving this as /etc/dbus-1/system-local.conf or a file matching /etc/dbus-1/system.d/*.conf: <busconfig> <limit name="auth_timeout">5000</limit> </busconfig> If applying this change, please reboot several times and check the syslog or Journal for messages containing "Connection has not authenticated soon enough, closing it". Seeing that message while not subject to a denial-of-service attack indicates that the auth_timeout has been set too short.