Security issues with abstract namespace sockets
Lennart Poettering
mzerqung at 0pointer.de
Wed Jan 5 15:35:30 UTC 2011
On Wed, 05.01.11 09:39, Matt McCutchen (matt at mattmccutchen.net) wrote:
> > That's precisely what I want to tell people: don't use the abstract
> > socket namespace, unless you really know what you do. The only cases
> > where it really makes sense to use it is if you have a privileged
> > service that i sstarted before any user code and never goes away and
> > hence is not vulnerable to these problems.
>
> But as I said, it's impossible to guarantee that the service never goes
> away. It could crash or get OOM-killed (or terminate before all
> potential clients have terminated during system shutdown: is that
> possible?), and then you have a security hole. So I would recommend
> filesystem sockets for everything.
Well, if PID 1 terminates the kernel halts the system. And udev fiddles
with its OOM score to avoid being killed. And if the dbus system bus
goes away the system becomes kinda unusable too.
These three services are kinda essential, if they go away the system is
dead. And given that this is how it is, these three are most likely the
only ones where it is safe that they use abstract namespace sockets.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list