On Wed, 28 Jul 2021 09:51:53 +0000 Simon Ser <cont...@emersion.fr> said:
> Please read the (lengthy) discussion at [1]. > > [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206 > > In particular, the "get_credentials → PID → executable path" lookup is > racy. PID re-use allows a malicious process to be recognized as another > executable. That is true - but only at cusp points - e.g. PID has exited, but socket has not been detected as dead yet and PID was recycled. I you do the lookup then, it'd be a problem. If you do the lookup first on initial connect, then ensure you do at least one round-trip to client (send something, it sends back a reply), then that lookup would be valid (and continue to be valid for the duration of that connection) because the PID lookup is sandwiched between a connect and an active round-trip (thus the socket didn't die with the process). The round trip does need to be some kind of ping that the compositor sends some UUID it generates with random content and the reply is a pong with that UUID back - thus it can't be spoofed. Indeed using systemd to get cgroup info from a client fd is also possible. The point does remain that adding a proxy in becomes problematic. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - ras...@rasterman.com _______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel
