noexec on /dev/shm

Lennart Poettering mzerqung at 0pointer.de
Sat Dec 25 18:37:20 UTC 2010 

On Sat, 25.12.10 11:51, Casey Dahlin (cdahlin at redhat.com) wrote:
> > Could you explain a bit perhaps? I'm not familiar with them... (or
> > maybe you have a url I could surf to?)
> > 
> Basically, you put a \0 in front of the path when you bind the socket. So, for
> example, bind to "\0/jack/socket". Yes, that looks weird, but it works. The
> socket will not appear anywhere in the filesystem, but can still be opened by
> using that wonky path from anywhere. When no longer referenced the socket will
> simply disappear.
> 
> Here's a link, though it takes awhile to get to the point:
> http://blog.eduardofleury.com/archives/2007/09/13/

BTW: I can only ask everybody to be very careful with abstract namespace
sockets, since there is no access control applied to the namespace:
everbody can allocate any socket. If jack would hardcode the socket it
uses to \0/org/jack/socket or so, then a) only one user could run jack
at a time, b) an evil user could simply allocate that socket and thus
ensure that nobody else can run jack anymore (DoS) and c) jack clients of
other users might try to connect to a jack instance belonging to one
user, which might create confusion and errors.

If you place a socket in a dir such as $XDG_RUNTIME_DIR these problems
don't exist, since that dir belongs to the user, and only the user, so
nobody else can allocate sockets in it or connect to it, which fixes the
problems pointed out above.

Or to turn this around: abstract namespace sockets are only safe to use
if they:

a) use a randomized name (which makes them a less lot useful, since you
need to add some additional logic to find out what name they have for
your application)

or 

b) use a fixed name, but only by a system daemon that is started early
at boot (i.e. at a time were no evil user could be logged in) and is
never restarted (so that no time window exists wher the socket is
unallocated during normal runtime where evil users could take advantage
of).

That basically means that besides systemd itself and maybe the D-Bus
system bus almost nobody can safely use fixed name abstract namespace
sockets. In particular user code that uses fixed name abstract namespace
sockets is necessarily vulnerable to DoS attacks.

Yes, abstract namespace sockets only have a very limited use.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

More information about the devel mailing list