Skip to content

DBus API lacks authentication and authorization #20

Description

@montfort

Risk ID: RISK-002 / VULN-002
Severity: HIGH (CVSS 7.5)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Unauthorized Operations

Description

The DBus API does not implement explicit authentication. Any process in the same user session can call any method, including sensitive operations like deleting sync configuration or forcing re-authentication.

Vulnerable Endpoints

<interface name="com.strangedaystech.LNXDrive.Manager">
  <!-- No auth required -->
  <method name="RemoveAccount">
    <arg type="s" name="namespace"/>
  </method>
  <method name="ResetSync"/>
  <method name="ClearCache"/>
</interface>

Attack Scenario

# Malicious script removes all accounts
dbus-send --session --dest=com.strangedaystech.LNXDrive \
  /org/strangedaystech/LNXDrive/Manager \
  com.strangedaystech.LNXDrive.Manager.ResetSync

Impact

  • Account configuration deletion
  • Forced re-authentication
  • Data loss from cache clearing
  • Denial of service

Remediation (Short-term P0)

  1. Implement PolicyKit integration for sensitive operations
  2. Require user confirmation for destructive operations
  3. Add caller identification logging

Simulation Scenario

SIM-L1-002

Source

Imported from .straymark/02-design/risk-analysis/RISK-002-security-vulns.md on 2026-05-29.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dbusD-Bus IPC layerfrom-risk-analysisImported from .straymark/02-design/risk-analysis/priority/P2Medium: planned, but not blockingsecuritySecurity vulnerability or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions