On Tue, 23.09.08 10:24, R?mi Cardona (remi at gentoo.org) wrote: > > What about abstract sockets? X now uses them too... > > http://cgit.freedesktop.org/xcb/libxcb/tree/src/xcb_util.c#163 > > Wouldn't that fix /tmp issues? Abstract Unix sockets still have a single shared namespace for all users. That means you still have a DoS vulnerability, because an evil user may simple take all well known socket paths before you can take them and then you lost, because you don't hve any name to take anymore. The only way to fix this properly is by using only sockets in /tmp that have a random name. Of course that limits their use, since when the name is random, not even you can connect to it anymore unless you get passed the path someway. OTOH unix sockets may not be placed in $HOME, due to NFS and stuff. $HOME would have the big advantage that it is not a shared namespace but a private one. OTOH it unfortunately is not machine-specific, but might be shared via NFS -- something /tmp does not suffer of. To work around that PA now follows the following scheme: we create a randomly named subdir in /tmp where we put our sockets and then symlink a well known name in $HOME to that dir. Everytime we access those sockets we make sure the symlink still points to a dir in /tmp owned by us. The well-known dir in $HOME also includes a machine-specific id (usually the D-Bus machine id, with the hostname as fallback) in the name, to make sure our socket-dir stays machine-specific and we don't get no problems over NFS. Complicated? Yes! Necessary? Yes, absolutely, because Unix sucks. All that said I still don't know how $TMPDIR fits in in all this. Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net ICQ# 11060553 http://0pointer.net/lennart/ GnuPG 0x1A015CC4
