Summary of the security discussions around Wayland and privileged clients
Thiago Macieira
thiago at kde.org
Thu Feb 20 12:26:32 PST 2014
Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu:
> Le 20/02/2014 18:42, Thiago Macieira a écrit :
> > Unless you meant that the WAYLAND_SOCKET variable can contain a file
> > descriptor number. Is that the case? In that case, how should the
> > privileged process clear the environment to allow child processes to be
> > launched?
>
> Yes, it takes an FD as a parameter
> (http://code.metager.de/source/xref/freedesktop/wayland/wayland/doc/man/wl_d
> isplay_connect.xml#63).
>
> The environment must be cleared automatically by the kernel because
> weston must be very careful about opening resources with O_CLOEXEC.
I don't think you've understood my question.
Suppose Weston is careful already. It creates the socket, ensures it's no
O_CLOEXEC, sets WAYLAND_SOCKET and launches the privileged process.
Now, the privileged process wants to launch a sub-process. How will the sub-
process connect to the compositor? Remember: WAYLAND_SOCKET contains a file
descriptor number that isn't available to the child process.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
More information about the wayland-devel
mailing list