Summary of the security discussions around Wayland and privileged clients

Martin Peres martin.peres at
Thu Feb 20 12:31:59 PST 2014

Le 20/02/2014 21:26, Thiago Macieira a écrit :
> Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu:
>> Le 20/02/2014 18:42, Thiago Macieira a écrit :
>>> Unless you meant that the WAYLAND_SOCKET variable can contain a file
>>> descriptor number. Is that the case? In that case, how should the
>>> privileged process clear the environment to allow child processes to be
>>> launched?
>> Yes, it takes an FD as a parameter
>> (
>> isplay_connect.xml#63).
>> The environment must be cleared automatically by the kernel because
>> weston must be very careful about opening resources with O_CLOEXEC.
> I don't think you've understood my question.
> Suppose Weston is careful already. It creates the socket, ensures it's no
> O_CLOEXEC, sets WAYLAND_SOCKET and launches the privileged process.
> Now, the privileged process wants to launch a sub-process. How will the sub-
> process connect to the compositor? Remember: WAYLAND_SOCKET contains a file
> descriptor number that isn't available to the child process.
Ah, I see. You are suggesting un-setting WAYLAND_SOCKET and using fcntl() to
set the socket's fd to CLOEXEC?

It is true that multiple process could end up with the same connection and
I didn't think about that. The problem is the same if an application 
to the compositor by itself and then forks. Not sure how the compositor
could detect that :s

More information about the wayland-devel mailing list