[pulseaudio-discuss] [PATCH] have make_random_dir respect $TMPDIR
lennart at poettering.net
Tue Sep 23 05:34:30 PDT 2008
On Tue, 23.09.08 10:24, Rémi Cardona (remi at gentoo.org) wrote:
> What about abstract sockets? X now uses them too...
> Wouldn't that fix /tmp issues?
Abstract Unix sockets still have a single shared namespace for all
users. That means you still have a DoS vulnerability, because an evil
user may simple take all well known socket paths before you can take
them and then you lost, because you don't hve any name to take anymore.
The only way to fix this properly is by using only sockets in /tmp
that have a random name. Of course that limits their use, since when
the name is random, not even you can connect to it anymore unless you
get passed the path someway.
OTOH unix sockets may not be placed in $HOME, due to NFS and
stuff. $HOME would have the big advantage that it is not a shared
namespace but a private one. OTOH it unfortunately is not
machine-specific, but might be shared via NFS -- something /tmp does
not suffer of.
To work around that PA now follows the following scheme: we create a
randomly named subdir in /tmp where we put our sockets and then
symlink a well known name in $HOME to that dir. Everytime we access
those sockets we make sure the symlink still points to a dir in /tmp
owned by us. The well-known dir in $HOME also includes a machine-specific id
(usually the D-Bus machine id, with the hostname as fallback) in the
name, to make sure our socket-dir stays machine-specific and we don't
get no problems over NFS.
Complicated? Yes! Necessary? Yes, absolutely, because Unix sucks.
All that said I still don't know how $TMPDIR fits in in all this.
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net ICQ# 11060553
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
More information about the pulseaudio-discuss