Summary of the security discussions around Wayland and privileged clients

Thiago Macieira thiago at
Thu Feb 20 12:26:32 PST 2014

Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu:
> Le 20/02/2014 18:42, Thiago Macieira a écrit :
> > Unless you meant that the WAYLAND_SOCKET variable can contain a file
> > descriptor number. Is that the case? In that case, how should the
> > privileged process clear the environment to allow child processes to be
> > launched?
> Yes, it takes an FD as a parameter
> (
> isplay_connect.xml#63).
> The environment must be cleared automatically by the kernel because
> weston must be very careful about opening resources with O_CLOEXEC.

I don't think you've understood my question.

Suppose Weston is careful already. It creates the socket, ensures it's no 
O_CLOEXEC, sets WAYLAND_SOCKET and launches the privileged process.

Now, the privileged process wants to launch a sub-process. How will the sub-
process connect to the compositor? Remember: WAYLAND_SOCKET contains a file 
descriptor number that isn't available to the child process.

Thiago Macieira - thiago (AT) - thiago (AT)
   Software Architect - Intel Open Source Technology Center
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

More information about the wayland-devel mailing list