Security issues with abstract namespace sockets
Matt McCutchen
matt at mattmccutchen.net
Wed Jan 5 02:31:01 UTC 2011
On Tue, 2011-01-04 at 14:11 +0100, Lennart Poettering wrote:
> Of these being used, dbus is correctly implemented, since it randomizes
> the socket name. Same for gdm.
The relevant point is not randomness or unguessability, but that dbus
chooses an available name and passes the actual name being used to
clients (via the DBUS_SESSION_BUS_ADDRESS environment variable).
However, even this may not be enough if the session dbus-daemon dies for
any reason and an attacker takes over the name and sends malicious
responses. It would be preferable if process death cases (the
OOM-killer, even) did not automatically become security holes. I'm not
sure how best to solve this. Wean ourselves from the convenience of the
abstract namespace and go back to filesystem sockets in places only
writable by appropriate parties?
--
Matt
More information about the devel
mailing list