Re: Security issues with abstract namespace sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2011-01-05 at 11:12 -0500, Adam Jackson wrote:
> The deeper problem is that clients authenticate themselves to the
> server, but then simply trust that the server is the server they were
> hoping for.  If you don't have a process tree relationship (like the gdm
> +displayfd case) then you have to go all the way to something like
> Kerberos for that kind of bidirectional auth.

Not quite: you can use the xauth cookie as a pre-shared key.

> Simply moving back to
> filesystem sockets does not solve that -

Right; what solves it is putting the socket in a place that is writable
only by the user running the server.

> and indeed, has _more_ DoS
> conditions than abstract sockets since they don't get garbage-collected
> on system crash

They do if you use a tmpfs (e.g., /var/run with systemd), but in any
event it's easy enough to unlink the socket or try another name.  The
more significant DoS condition is another user taking the name you want,
which can happen in the abstract namespace but not in a directory only
you can write.

-- 
Matt

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux