[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: denial of service attack for X/esound?

On Mon, Feb 14, 2000 at 07:08:20PM +1100, Brian May wrote:
> To reproduce:
> (won't work if anything has already started X including gdm/wdm/xdm
> since the last boot).
> 1. Login as user X.
> 2. touch /tmp/.X11-unix
> 3. Login as user Y.
> 4. Run startx.
> 5. Since the socket could not be created under /tmp/.X11-unix, clients
> will fail to connect. Only a reboot, root, or user X can fix the problem.
> For the record, here is the error I get:
> _X11TransSocketUnixConnect: Can't connect: errno = 20
> I have reported a similar bug for esound's usage of /tmp/.esd (which
> IMHO is worse, as only one socket name under /tmp/.esd can be used).
> Note: attack for X might also be possible by the other user creating a
> directory and restricting access, I haven't tested this in detail yet
> though.

 Good call on that.  I think the appropriate fix is to have the /tmp cleaner
create /tmp/.X11-unix after cleaning out /tmp.  Or maybe it should exclude
.X11-unix.  OTOH, that lets people park crap in there without it getting
cleaned.  I guess it should delete everything _in_ /tmp/.X11-unix, but not
the directory itself. (rm -rf /tmp/.X11-unix/*, except that somebody could
make a symlink called .X11-unix and make rm do something nasty.  Grrr...)
Ok, I think the best solution is to clean out /tmp completely, then
recreate .X11-unix.  This means putting 
mkdir --mode=1777 /tmp/.X11-unix 
in /etc/init.d/bootmisc.sh (right, developers? :)

 This is a tradeoff, because forcing creation of /tmp/.X11-unix is ugly if X
is not used on the machine.  The same solution applies to esd, I guess, with
even more risk of making unneeded directories.  I guess that's a small price
(512 bytes and an inode :) to pay for preventing users from knocking down
your door.

 Another solution is to have X clobber /tmp/.X11-unix if it is bogus when it
starts up, and/or adjust the permissions on it.  This is not so nice, since
it means putting code into the X server or making another set-uid program.

 Hrmmm.  BTW, I don't like the idea of X having a boot script that runs from
rcS.d.  I hate having huge numbers of things run at boot time.  I haven't
gotten around to putting all the debian boot time stuff into 1 or 2 files
(like I did with Stampede) on my personal machine, and I don't think I will,
since that would break the wonderfully marvelous package system a bit.  One
directory seems a bit too frivolous to have a whole boot script for.

 Oh... even better idea:  bootmisc.sh could check for the existence of 
/tmp/.X11-unix before cleaning out /tmp.  If it exists, then it is recreated
with mode 1777

# replacement for /tmp cleaner in bootmisc.sh

[ -d /tmp/.X11-unix ] && make-x=yes
[ -d /tmp/.esd ] && make-esd=yes

# clean dot files + other files in /tmp
cd /tmp && ls  | egrep -v '^quota.(user|group)$|^lost+found' |
xargs rm -rf .[^.]* 
# maybe we should stick with the find command used currently, but since it
# checks UID on the preserved files, and cleans out /tmp/lost+found.
# I like my version for efficiency, though :)  somebody check that egrep
# command if you decide to use it, though :)  (I haven't tried this script.)

[ $make-x = yes ] && mkdir --mode=1777 .X11-unix
[ $make-esd = yes ] && mkdir --mode=1777 .esd

#define X(x,y) x##y
DUPS Secretary ; http://is2.dal.ca/~dups/
Peter Cordes ;  e-mail: X(peter@cordes.phys. , dal.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: