FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 03-21-2010, 01:44 PM
Jonathan Underwood
 
Default Akonadi's unix sockets location

On 19 March 2010 23:52, Lennart Poettering <mzerqung@0pointer.de> wrote:
> That is a security hole. Since /tmp knows no further access control an
> evil user can just create dirs there for each and every single user on
> the system. Those directories will then be owned by him, and all other
> users will a) either completely fail to work or b) happily connect to
> the evil user's services unless the software in question implements
> two-way credential passing and verification (which I'd bet akonadi
> doesn't do).
>
> So either this is a DoS vulnerability or an even worse security hole.
>
> So in short: don't do this. If you safely want to place a socket in
> /tmp, you need to place it in a random dir, and then symlink (or
> otherwise refer to it) from $HOME. Or better (as Colin suggested), just
> use D-Bus to pass around the randomized socket path. (or even better:
> use the new fd passing in D-Bus so that you don't need to socket path at
> all)
>
> Or even shorter: Unix sucks.
>
> At last year's FOSS.in I did a talk about issues like this in Unix and
> how to work around them in application and how incredibly hard it is to
> get this right. One of those days I hope to find the time to write a
> blog story about this.
>
> I personally believe introducing a per-user /var/run (maybe as
> /var/run/users/$USER which is created at login time) is cleanest way to
> fix all of this.
>
>> I can't imagine what harm that would cause to default under /tmp?
>
> It's a shared namespace. As such it is a major source of
> vulnerabitilities, especially if the developers didn't have this
> particular use in mind.

To what extent would the security issues associated with files in /tmp
be mitigated with a polyinstantiated /tmp directories? Should Fedora
move to that as a default?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-22-2010, 12:11 PM
Daniel J Walsh
 
Default Akonadi's unix sockets location

On 03/21/2010 10:44 AM, Jonathan Underwood wrote:
> On 19 March 2010 23:52, Lennart Poettering<mzerqung@0pointer.de> wrote:
>
>> That is a security hole. Since /tmp knows no further access control an
>> evil user can just create dirs there for each and every single user on
>> the system. Those directories will then be owned by him, and all other
>> users will a) either completely fail to work or b) happily connect to
>> the evil user's services unless the software in question implements
>> two-way credential passing and verification (which I'd bet akonadi
>> doesn't do).
>>
>> So either this is a DoS vulnerability or an even worse security hole.
>>
>> So in short: don't do this. If you safely want to place a socket in
>> /tmp, you need to place it in a random dir, and then symlink (or
>> otherwise refer to it) from $HOME. Or better (as Colin suggested), just
>> use D-Bus to pass around the randomized socket path. (or even better:
>> use the new fd passing in D-Bus so that you don't need to socket path at
>> all)
>>
>> Or even shorter: Unix sucks.
>>
>> At last year's FOSS.in I did a talk about issues like this in Unix and
>> how to work around them in application and how incredibly hard it is to
>> get this right. One of those days I hope to find the time to write a
>> blog story about this.
>>
>> I personally believe introducing a per-user /var/run (maybe as
>> /var/run/users/$USER which is created at login time) is cleanest way to
>> fix all of this.
>>
>>
>>> I can't imagine what harm that would cause to default under /tmp?
>>>
>> It's a shared namespace. As such it is a major source of
>> vulnerabitilities, especially if the developers didn't have this
>> particular use in mind.
>>
> To what extent would the security issues associated with files in /tmp
> be mitigated with a polyinstantiated /tmp directories? Should Fedora
> move to that as a default?
>
Yes a lot of this would be fixed, but it is very confusing to have
different views of /tmp.
I have it setup right now and am bit by root having a different view of
/tmp then my user account.
And I understand the technology.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 03-22-2010, 01:40 PM
Lennart Poettering
 
Default Akonadi's unix sockets location

On Sun, 21.03.10 14:44, Jonathan Underwood (jonathan.underwood@gmail.com) wrote:

> > It's a shared namespace. As such it is a major source of
> > vulnerabitilities, especially if the developers didn't have this
> > particular use in mind.
>
> To what extent would the security issues associated with files in /tmp
> be mitigated with a polyinstantiated /tmp directories? Should Fedora
> move to that as a default?

The major security issues would certainly go away that way, but I don't
think that such a behaviourial change would be a good idea. /tmp has
always been a shared namespace, and some apps might actually depend on
that to exchange files between users. The FHS assumes a single namespace
for the entire fs hierarchy and departing from that might create various
unexpected problems. Starting from admins who don't expect a weirdness
like this, but also applications that break with behaviour like that.

To my knowledge the Debian folks experimented with this a couple of
years ago, and even wanted to make it the default (but didn't in the
end, afaics). Might be interesting to learn about the results of their
experimenting.

Instead of changing the semantics of /tmp which is already way to
established with all its brokeness and weird semantics, I'd rather like
to see a new dir added /var/run/users/$USER/ that does not suffer by all
the problems and introduces new, clean and well defined semantics.

Lennart

--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 11:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org