Carsten Haitzler <ras...@rasterman.com> writes: > On Wed, 28 Jul 2021 09:51:53 +0000 Simon Ser <cont...@emersion.fr> said: > >> Please read the (lengthy) discussion at [1]. >> >> [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206 >> >> In particular, the "get_credentials → PID → executable path" lookup is >> racy. PID re-use allows a malicious process to be recognized as another >> executable. > > That is true - but only at cusp points - e.g. PID has exited, but socket has > not been detected as dead yet and PID was recycled. I you do the lookup then, > it'd be a problem. > > If you do the lookup first on initial connect, then ensure you do at least one > round-trip to client (send something, it sends back a reply), then that lookup > would be valid (and continue to be valid for the duration of that connection) > because the PID lookup is sandwiched between a connect and an active > round-trip > (thus the socket didn't die with the process). The round trip does need to be > some kind of ping that the compositor sends some UUID it generates with random > content and the reply is a pong with that UUID back - thus it can't be > spoofed.
Hmm, I'm having trouble squaring this with Simon's proof of concept attack[1]. In particular, as that PoC demonstrates, there's guarantee that the socket will die when the process does, right? (Because the fd could be shared with other processes.) > Indeed using systemd to get cgroup info from a client fd is also possible. The > point does remain that adding a proxy in becomes problematic. [1]: https://gitlab.freedesktop.org/wayland/weston/-/issues/206#note_176699
signature.asc
Description: PGP signature
_______________________________________________ wayland-devel mailing list wayland-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/wayland-devel