In Tuesday 04 August 2009, you wrote: >On Tue, Aug 04, 2009 at 09:52:23AM -0500, Boyd Stephen Smith Jr. wrote: >> In <20090804100620.GA8545@shurick.s2s.msu.ru>, Alexander Inyukhin wrote: >> >Socket permissions are controlled by umask, but if security >> >matters, a more sophisticated way of managing sockets should be used. >> >Since task-spooler is intented for use in single user environment, >> >I do not think this is a serious issue. >> >> Unfortunately, Debian is not limited to use as a single-user environment >> so you may need to revisit the security implications. At the very >> least, you may want to warn the administrator that it is not suitable >> for multi-user environments. >> >> Any reason task-spooler can't secure it's sockets the same way ssh-agent >> and/or gpg-agent secure theirs? > >Actually, it can. It is just not the default behavior. >User may override socket location via environment variables TMPDIR or > TS_SOCKET. As with gpg-agent, this requires additional setup. Hrm, I'm not using any special GPG settings and my socket resides in /tmp/gpg-6qK7UK/S.gpg-agent; my ssh-agent is in a similar location. >Creating socket with predefined name in user's home directory seems to be >a better choice. Is there any policy rules about socket naming? I think secure-by-default would be the better choice. I don't know what kind of information is passed over the socket, but if it is in a (group/world) writable directory or (group/world) readable/writable itself it is possible a local attacker could hijack the connection. As far as I know there is no policy. I'm not a DD and speak only for myself. I don't mean to hold up the sponsoring of the package if my issues don't bother the sponsors. Creating the socket as mode 600 in the user's home directory seems relatively safe, but isolating it in a mode 700 directory doesn't seem like a bad idea. -- Boyd Stephen Smith Jr. ,= ,-_-. =. email@example.com ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/  I suppose a user's home directory might be group writable, but that seems unusual.
Description: This is a digitally signed message part.