Re: Security issues with abstract namespace sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 04.01.11 21:31, Matt McCutchen (matt@xxxxxxxxxxxxxxxxx) wrote:

> On Tue, 2011-01-04 at 14:11 +0100, Lennart Poettering wrote:
> > Of these being used, dbus is correctly implemented, since it randomizes
> > the socket name. Same for gdm.
> 
> The relevant point is not randomness or unguessability, but that dbus
> chooses an available name and passes the actual name being used to
> clients (via the DBUS_SESSION_BUS_ADDRESS environment variable).
> 
> However, even this may not be enough if the session dbus-daemon dies for
> any reason and an attacker takes over the name and sends malicious
> responses.  It would be preferable if process death cases (the
> OOM-killer, even) did not automatically become security holes.  I'm not
> sure how best to solve this.  Wean ourselves from the convenience of the
> abstract namespace and go back to filesystem sockets in places only
> writable by appropriate parties?

That's precisely what I want to tell people: don't use the abstract
socket namespace, unless you really know what you do. The only cases
where it really makes sense to use it is if you have a privileged
service that i sstarted before any user code and never goes away and
hence is not vulnerable to these problems. The D-Bus system bus, the
init systemd and udev are probably the only ones really qualifying for
that. Everything else is restartable.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux