Security issues with abstract namespace sockets
Matt McCutchen
matt at mattmccutchen.net
Wed Jan 5 18:38:02 UTC 2011
On Wed, 2011-01-05 at 11:12 -0500, Adam Jackson wrote:
> The deeper problem is that clients authenticate themselves to the
> server, but then simply trust that the server is the server they were
> hoping for. If you don't have a process tree relationship (like the gdm
> +displayfd case) then you have to go all the way to something like
> Kerberos for that kind of bidirectional auth.
Not quite: you can use the xauth cookie as a pre-shared key.
> Simply moving back to
> filesystem sockets does not solve that -
Right; what solves it is putting the socket in a place that is writable
only by the user running the server.
> and indeed, has _more_ DoS
> conditions than abstract sockets since they don't get garbage-collected
> on system crash
They do if you use a tmpfs (e.g., /var/run with systemd), but in any
event it's easy enough to unlink the socket or try another name. The
more significant DoS condition is another user taking the name you want,
which can happen in the abstract namespace but not in a directory only
you can write.
--
Matt
More information about the devel
mailing list