Summary of the security discussions around Wayland and privileged clients

Thiago Macieira thiago at kde.org
Thu Feb 20 12:26:32 PST 2014


Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu:
> Le 20/02/2014 18:42, Thiago Macieira a écrit :
> > Unless you meant that the WAYLAND_SOCKET variable can contain a file
> > descriptor number. Is that the case? In that case, how should the
> > privileged process clear the environment to allow child processes to be
> > launched?
> 
> Yes, it takes an FD as a parameter
> (http://code.metager.de/source/xref/freedesktop/wayland/wayland/doc/man/wl_d
> isplay_connect.xml#63).
> 
> The environment must be cleared automatically by the kernel because
> weston must be very careful about opening resources with O_CLOEXEC.

I don't think you've understood my question.

Suppose Weston is careful already. It creates the socket, ensures it's no 
O_CLOEXEC, sets WAYLAND_SOCKET and launches the privileged process.

Now, the privileged process wants to launch a sub-process. How will the sub-
process connect to the compositor? Remember: WAYLAND_SOCKET contains a file 
descriptor number that isn't available to the child process.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358



More information about the wayland-devel mailing list