Bug#526678: Passes magic cookie insecurity

To: Loïc Minier <lool@dooz.org>, 526678@bugs.debian.org
Subject: Bug#526678: Passes magic cookie insecurity
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 14 May 2009 21:04:33 +0200
Message-id: <[🔎] 20090514190433.GW17479@patate.is-a-geek.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 526678@bugs.debian.org
In-reply-to: <[🔎] 20090502155724.GA15307@bee.dooz.org>
References: <[🔎] 20090502155724.GA15307@bee.dooz.org>

On Sat, May  2, 2009 at 17:57:24 +0200, Loïc Minier wrote:

> # Start Xvfb.
> MCOOKIE=$(mcookie)
> XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
>   >"$ERRORFILE" 2>&1
> 
>  which is insecure as the MCOOKIE value can be seen for a split second
>  in the list of processes.
> 
>  I think "xauth source -" or a similar construct should be used.
> 
Can I get another pair of eyes before I commit this?

Also I don't quite like the fact that we use /tmp/xvfb-run.$$ as a temp
dir instead of using something like 'mktemp -t -d xvfb-run.XXXXXX'.

diff --git a/debian/local/xvfb-run b/debian/local/xvfb-run
index c85f86a..b11130a 100644
--- a/debian/local/xvfb-run
+++ b/debian/local/xvfb-run
@@ -157,8 +157,9 @@ fi
 
 # Start Xvfb.
 MCOOKIE=$(mcookie)
-XAUTHORITY=$AUTHFILE xauth add ":$SERVERNUM" "$XAUTHPROTO" "$MCOOKIE" \
-  >>"$ERRORFILE" 2>&1
+XAUTHORITY=$AUTHFILE xauth source - << EOF >>"$ERRORFILE" 2>&1
+add :$SERVERNUM $XAUTHPROTO $MCOOKIE
+EOF
 XAUTHORITY=$AUTHFILE Xvfb ":$SERVERNUM" $XVFBARGS $LISTENTCP >>"$ERRORFILE" \
   2>&1 &
 XVFBPID=$!

Cheers,
Julien

Reply to:

References:
- Bug#526678: Passes magic cookie insecurity
  - From: Loïc Minier <lool@dooz.org>

Prev by Date: Bug#528684: xserver-xorg-video-radeon: glxgears window writes through another window placed in front of it
Next by Date: Bug#524280: Display broken beyond recognition after upgrade to 1:6.12.2-1
Previous by thread: Bug#526678: Passes magic cookie insecurity
Next by thread: Bug#526169: Fails with kernel 2.6.29, works with kernel 2.6.26
Index(es):
- Date
- Thread