bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 11:05 UTC
[Bug 1789] New: On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Summary: On linux use abstract socket for X11 connections if
possible
Product: Portable OpenSSH
Version: 5.5p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: jchadima at redhat.com
The abstract socket on linux is independent on the fole system and has
no file system representation. This is useful when the selinux rules
prevents the /tmp directory. (using namespaces)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 11:07 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789 --- Comment #1 from jchadima at redhat.com --- Created attachment 1889 --> https://bugzilla.mindrot.org/attachment.cgi?id=1889 patch solving the problem -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 12:51 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> --- Comment on attachment 1889 --> https://bugzilla.mindrot.org/attachment.cgi?id=1889 patch solving the problem Leaving aside the merits of the rest of the change, this part is trivially broken on any platform that isn't linux since "len" will be undefined:>+#ifdef linux >+ int len, ret; >+#endif >+ len = snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);-- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 13:08 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
also, if snprintf fails it'll call memcpy with a length of -1 (cast to
size_t) and probably overwrite something that you'd rather it didn't.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 13:25 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1889|0 |1
is obsolete| |
--- Comment #4 from jchadima at redhat.com ---
Created attachment 1890
--> https://bugzilla.mindrot.org/attachment.cgi?id=1890
patch solving the problem
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 13:28 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1890|0 |1
is obsolete| |
--- Comment #5 from jchadima at redhat.com ---
Created attachment 1891
--> https://bugzilla.mindrot.org/attachment.cgi?id=1891
patch solving the problem
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jun-30 13:29 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
jchadima at redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jchadima at redhat.com
--- Comment #6 from jchadima at redhat.com ---
Hoping solved all problems.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-02 03:19 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Isn't the solution for SELinux rules breaking /tmp to fix the SELinux
rules? Abstract sockets look like a complete trainwreck waiting to
happen: a brand new, completely unstructured but shared namespace, with
zero intrinsic security protections (not even filesystem permissions)
where every consumer application must implement security controls
correctly, rather than letting the kernel do it.
At the very least, I think we will wait a while before rushing to add
support for this to OpenSSH.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-02 03:57 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-02 07:29 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789 --- Comment #8 from jchadima at redhat.com --- (In reply to comment #7)> Isn't the solution for SELinux rules breaking /tmp to fix the SELinux > rules?The namespaces create separate /tmp directories for each logged user. (and one for system also). There is no possibily to make system sockets under /tmp Abstract sockets look like a complete trainwreck waiting to> happen: a brand new, completely unstructured but shared namespace, with > zero intrinsic security protections (not even filesystem permissions) > where every consumer application must implement security controls > correctly, rather than letting the kernel do it. > > At the very least, I think we will wait a while before rushing to add > support for this to OpenSSH.Have you any other idea how safely solve this need? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Jul-02 08:19 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789 --- Comment #9 from jchadima at redhat.com --- (In reply to comment #7) ... namespace, with> zero intrinsic security protections (not even filesystem permissions)the file permissions of the whole /tmp/.X11.... is 0777 :D which is IMHO equivalent. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-25 05:33 UTC
[Bug 1789] On linux use abstract socket for X11 connections if possible
https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Jan F. Chadima <jfch at jagda.eu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jfch at jagda.eu
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 1890] New: Entropy management for linux
- [Bug 1889] New: bug in packet.c sometimes cause segfault
- [Bug 1894] New: ssh requests ipv6 addresses even with ipv6 disabled
- [Bug 1893] New: change ssh-keisign to setgid from setuid
- [Bug 1640] New: Add patchlevel info to the sshd binary.