Security question?

Thomas Hellström unichrome at shipmail.org
Wed Nov 3 14:12:09 PST 2004


Hi
Adam Jackson wrote:

>On Wednesday 03 November 2004 16:33, Thomas Hellström wrote:
>  
>
>>Hi!
>>
>>I'm working on a way for the client XvMC lib to determine whether an X
>>server connection is local or not.
>>
>>The best way I've come up with so far is for the client to allocate a
>>shared memory page, and fill it with a pattern which is seeded by a
>>pseudo-random 32-bit number. It then transmits this number and the
>>shared memory page ID to the server which tries to map the shared memory
>>page, verifies the pattern and returns either fault or OK.
>>
>><snip>
>>
>>Is this an acceptable approach security-wise?
>>Are there simpler ways?
>>    
>>
>
>getsockname(3) on the connection fd.  It's local if one of:
>
>- family is PF_UNIX
>- family is PF_INET and address is 127.0.0.1
>- family is PF_INET6 and address is ::1
>- family is PF_DECnet and address is whatever the DECnet loopback address is 
>(probably you don't need to worry about this case)
>
>I suppose you could add some more work to check if the IP address matches that 
>of any of the attached network interface, but I wouldn't bother.
>
>From a security standpoint this is perfect.  The user can spoof getsockname() 
>through linker tricks, but neither case is problematic.  If the connection is 
>local and the user spoofs it isn't, then XvMC will fail to work because it 
>won't be able to open the hardware.  If the connection is remote but the user 
>spoofs it's local, then the XvMC lib will open the local hardware, which the 
>user already _has_ access to.
>
>  
>
Hmm,
Doesn't any connection based approach fail with proxy X servers like 
ssh, where the shm approach will work?

/Thomas

>- ajax
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg/attachments/20041103/0f0de0e6/attachment.html>


More information about the xorg mailing list