Security question?
Thomas Hellström
unichrome at shipmail.org
Wed Nov 3 14:12:09 PST 2004
Hi
Adam Jackson wrote:
>On Wednesday 03 November 2004 16:33, Thomas Hellström wrote:
>
>
>>Hi!
>>
>>I'm working on a way for the client XvMC lib to determine whether an X
>>server connection is local or not.
>>
>>The best way I've come up with so far is for the client to allocate a
>>shared memory page, and fill it with a pattern which is seeded by a
>>pseudo-random 32-bit number. It then transmits this number and the
>>shared memory page ID to the server which tries to map the shared memory
>>page, verifies the pattern and returns either fault or OK.
>>
>><snip>
>>
>>Is this an acceptable approach security-wise?
>>Are there simpler ways?
>>
>>
>
>getsockname(3) on the connection fd. It's local if one of:
>
>- family is PF_UNIX
>- family is PF_INET and address is 127.0.0.1
>- family is PF_INET6 and address is ::1
>- family is PF_DECnet and address is whatever the DECnet loopback address is
>(probably you don't need to worry about this case)
>
>I suppose you could add some more work to check if the IP address matches that
>of any of the attached network interface, but I wouldn't bother.
>
>From a security standpoint this is perfect. The user can spoof getsockname()
>through linker tricks, but neither case is problematic. If the connection is
>local and the user spoofs it isn't, then XvMC will fail to work because it
>won't be able to open the hardware. If the connection is remote but the user
>spoofs it's local, then the XvMC lib will open the local hardware, which the
>user already _has_ access to.
>
>
>
Hmm,
Doesn't any connection based approach fail with proxy X servers like
ssh, where the shm approach will work?
/Thomas
>- ajax
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg/attachments/20041103/0f0de0e6/attachment.html>
More information about the xorg
mailing list