Security issues with abstract namespace sockets
Lennart Poettering
mzerqung at 0pointer.de
Wed Jan 5 23:24:21 UTC 2011
On Wed, 05.01.11 16:47, Adam Jackson (ajax at redhat.com) wrote:
> On Wed, 2011-01-05 at 16:33 -0500, Matt McCutchen wrote:
> > On Wed, 2011-01-05 at 15:25 -0500, Adam Jackson wrote:
> > > I don't have any of those. If the X server is running as root (like in
> > > the gdm case) then I can put the socket wherever I want. If it's Xvfb,
> > > then where do I put this directory? $HOME ? Nope, might not be
> > > there. /tmp/$USER ? Won't work if someone else mkdir'd /tmp/ajax
> > > before I did.
> >
> > What about the XDG_RUNTIME_DIR (/var/run/user/$USER) from systemd?
>
> atropine:~% ssh 10.16.61.101
> test at 10.16.61.101's password:
> Last login: Wed Jan 5 16:42:43 2011
> [test at dhcp-10-16-61-101 ~]$ set | grep XDG
> [test at dhcp-10-16-61-101 ~]$ rpm -q systemd fedora-release
> systemd-15-1.fc15.x86_64
> fedora-release-15-0.3.noarch
>
> Console login at least gives me an XDG_SESSION_COOKIE.
That should work. Probably during upgrade the PAM files weren't
corrected. Try invoking "authconfig".
XDG_SESSION_COOKIE is supposed to be secret and is probably going to go
away soonishly, as it is obsolete now that we have /proc/self/loginuid.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list