Bug#526678: Passes magic cookie insecurity
On Sat, May 2, 2009 at 17:57:24 +0200, Loïc Minier wrote:
> # Start Xvfb.
> MCOOKIE=$(mcookie)
> XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
> >"$ERRORFILE" 2>&1
>
> which is insecure as the MCOOKIE value can be seen for a split second
> in the list of processes.
>
> I think "xauth source -" or a similar construct should be used.
>
Can I get another pair of eyes before I commit this?
Also I don't quite like the fact that we use /tmp/xvfb-run.$$ as a temp
dir instead of using something like 'mktemp -t -d xvfb-run.XXXXXX'.
diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
# Start Xvfb.
MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
- >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
2>&1 &
XVFBPID=$!
Cheers,
Julien
Reply to: