Re: denial of service attack for X/esound?
On Mon, Feb 14, 2000 at 07:08:20PM +1100, Brian May wrote:
> To reproduce:
>
> (won't work if anything has already started X including gdm/wdm/xdm
> since the last boot).
>
> 1. Login as user X.
> 2. touch /tmp/.X11-unix
> 3. Login as user Y.
> 4. Run startx.
> 5. Since the socket could not be created under /tmp/.X11-unix, clients
> will fail to connect. Only a reboot, root, or user X can fix the problem.
>
> For the record, here is the error I get:
>
> _X11TransSocketUnixConnect: Can't connect: errno = 20
>
> I have reported a similar bug for esound's usage of /tmp/.esd (which
> IMHO is worse, as only one socket name under /tmp/.esd can be used).
>
> Note: attack for X might also be possible by the other user creating a
> directory and restricting access, I haven't tested this in detail yet
> though.
Good call on that. I think the appropriate fix is to have the /tmp cleaner
create /tmp/.X11-unix after cleaning out /tmp. Or maybe it should exclude
.X11-unix. OTOH, that lets people park crap in there without it getting
cleaned. I guess it should delete everything _in_ /tmp/.X11-unix, but not
the directory itself. (rm -rf /tmp/.X11-unix/*, except that somebody could
make a symlink called .X11-unix and make rm do something nasty. Grrr...)
Ok, I think the best solution is to clean out /tmp completely, then
recreate .X11-unix. This means putting
mkdir --mode=1777 /tmp/.X11-unix
in /etc/init.d/bootmisc.sh (right, developers? :)
This is a tradeoff, because forcing creation of /tmp/.X11-unix is ugly if X
is not used on the machine. The same solution applies to esd, I guess, with
even more risk of making unneeded directories. I guess that's a small price
(512 bytes and an inode :) to pay for preventing users from knocking down
your door.
Another solution is to have X clobber /tmp/.X11-unix if it is bogus when it
starts up, and/or adjust the permissions on it. This is not so nice, since
it means putting code into the X server or making another set-uid program.
Hrmmm. BTW, I don't like the idea of X having a boot script that runs from
rcS.d. I hate having huge numbers of things run at boot time. I haven't
gotten around to putting all the debian boot time stuff into 1 or 2 files
(like I did with Stampede) on my personal machine, and I don't think I will,
since that would break the wonderfully marvelous package system a bit. One
directory seems a bit too frivolous to have a whole boot script for.
Oh... even better idea: bootmisc.sh could check for the existence of
/tmp/.X11-unix before cleaning out /tmp. If it exists, then it is recreated
with mode 1777
# replacement for /tmp cleaner in bootmisc.sh
[ -d /tmp/.X11-unix ] && make-x=yes
[ -d /tmp/.esd ] && make-esd=yes
# clean dot files + other files in /tmp
cd /tmp && ls | egrep -v '^quota.(user|group)$|^lost+found' |
xargs rm -rf .[^.]*
# maybe we should stick with the find command used currently, but since it
# checks UID on the preserved files, and cleans out /tmp/lost+found.
# I like my version for efficiency, though :) somebody check that egrep
# command if you decide to use it, though :) (I haven't tried this script.)
[ $make-x = yes ] && mkdir --mode=1777 .X11-unix
[ $make-esd = yes ] && mkdir --mode=1777 .esd
--
#define X(x,y) x##y
DUPS Secretary ; http://is2.dal.ca/~dups/
Peter Cordes ; e-mail: X(peter@cordes.phys. , dal.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: