Carsten Haitzler <ras...@rasterman.com> writes:

> On Wed, 28 Jul 2021 09:51:53 +0000 Simon Ser <cont...@emersion.fr> said:
>
>> Please read the (lengthy) discussion at [1].
>> 
>> [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206
>> 
>> In particular, the "get_credentials → PID → executable path" lookup is
>> racy. PID re-use allows a malicious process to be recognized as another
>> executable.
>
> That is true - but only at cusp points - e.g. PID has exited, but socket has
> not been detected as dead yet and PID was recycled. I you do the lookup then,
> it'd be a problem.
>
> If you do the lookup first on initial connect, then ensure you do at least one
> round-trip to client (send something, it sends back a reply), then that lookup
> would be valid (and continue to be valid for the duration of that connection)
> because the PID lookup is sandwiched between a connect and an active 
> round-trip
> (thus the socket didn't die with the process). The round trip does need to be
> some kind of ping that the compositor sends some UUID it generates with random
> content and the reply is a pong with that UUID back - thus it can't be 
> spoofed.

Hmm, I'm having trouble squaring this with Simon's proof of concept
attack[1].  In particular, as that PoC demonstrates, there's guarantee
that the socket will die when the process does, right?  (Because the fd
could be shared with other processes.)

> Indeed using systemd to get cgroup info from a client fd is also possible. The
> point does remain that adding a proxy in becomes problematic.

[1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206#note_176699

Attachment: signature.asc
Description: PGP signature

_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel

Reply via email to