Fwd: $XDG_RUNTIME_DIR

Lennart Poettering mzkqt at 0pointer.de
Mon Dec 24 03:31:11 PST 2012 

On Mon, 24.12.12 10:36, David Faure (faure at kde.org) wrote:

> > Well, this is a DoS. You cannot use a guessable name in /tmp.
> 
> I see no other solution, as long as some distros don't set XDG_RUNTIME_DIR.
> (and BTW /tmp/.X0-lock is just as guessable, and has always been
> used.)

The X11 directories in /tmp are special, as sane distros create them
during early boot, so that the names are reserved and DoS issues do not
arise. That said, they are still ugly and X should use /run instead.
> 
> When talking to Debian people about setting XDG_RUNTIME_DIR, they pointed out 
> that another DoS attack is to fill up the partition containing XDG_RUNTIME_DIR 
> (e.g. filling up your /run/user/$USERNAME), preventing other users from 
> creating files under their own /run/user/$OTHERNAME. Is there a way to solve 
> this?

This is not an issue specific to /run. This is an issue to all
tmpfs directories, including /dev/shm and /tmp. 

We need quota on tmpfs, this has been known since long time, but there
is no need to fix this specifically for XDG_RUNTIME_DIR, but should be
fixed for all tmpfs instances.

A hack to add quota to /run/user is to mount a tmpfs for each user as he
logs in, which can then have a size limit attached. I think we should
avoid that however, since this would not solve the issue for /tmp and
/dev/shm, and is not applicable there, since users do not have private
subdirs there, but things are a shared namespace.

So, yeah, the issue exists, but needs to be fixed in the general
case. It's a limitation of tmpfs, not of XDG_RUNTIME_DIR. It's solvable
in the XDG_RUNTIME_DIR case, but we suggest to fix it properly in the
gernel tmpfs case instead.

> Finally, a last issue that came up about XDG_RUNTIME_DIR (when talking to 
> Debian people), was that it's not per-X-session ($DISPLAY), so logging in more 
> than once will break. A solution is for each application using XDG_RUNTIME_DIR 
> to create a subdir named after the DISPLAY, but it would have been nice if 
> this was handled by the OS automatically.

Well, placing per-session data in something that is per-user is easy
(just include some session ID in the file name), but placing per-user
data in something that is per-session is impossible.

Also, it's an illusion to believe our desktops could deal properly with
multiple sessions at the same time for the same user, so I think this is
mostly a theoretical issue...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

More information about the xdg mailing list