Re: [gdm-list] Security?

From: Jiri Lebl <jirka 5z com>
To: Ray Strode <halfline gmail com>, gdm-list gnome org
Subject: Re: [gdm-list] Security?
Date: Sat, 01 Dec 2007 10:10:00 -0600

Ray Strode wrote:
>>>> If it isn't clear (it seems like it's not from your responses) I'm not
>>>> tied to the g_rand_* apis at all, though.  I'm in the process of
>>>> rewriting the code to use /dev/urandom.
>>> I just commtted this patch to subversion:
>>>
>>> http://www.gnome.org/~halfline/urandom.patch
>> There is no fallback if /dev/urandom is not available?
> What fallbacks guarantee enough entropy to be comparable?
> 
> - pid and current time are usually sequential and easy to guess
> 
> if a platform someone cares about doesn't support /dev/urandom we'll
> have to fix GDM to use a different prescribed mechanism for that
> platform.  This is where having a suitable api in glib would really
> shine...

[Some extra thoughts on security are also attached below.]

I just checked and it seems that /dev/urandom is fairly well supported.  So
it's a reasonable position.  This should be checked in configure I think.

As for reasonable fallbacks: time in microseconds usually gets you about 20+
bits of entropy if I remember corrrectly.  pid/ppid only work against moronic
attackers.  time in seconds gets you an extra few bits of entropy.  You can
store and use the last cookie in a file readable by only root and use that to
add some more entropy.

As for other security issues.  I did not have time to check out the design of
the new gdm, but I saw something on the list that sounded like some sort of
full session running for the gdm user?  That sounds like a horrible idea to
me.  Most gnome software just was not tested to be used by an untrusted
source.  Assumption in most of the gnome stack is that the user is trusted.
The less software runs as gdm the better.  That's why I never wanted
something like metacity and gconf running.  Any problem exploitable in any
software running as a greeter can lead to either snooping or privilage
escalation.  Just because it is running as gdm user and not as root doesn't
mean that it is completely safe.

Second, what about disk filling DOS attacks.  1 is the X server output.  It
is not hard to have the X server spew gigabytes of stupid output in fairly
short time.  There needs to be throttling / limits on X server output,
especially since the X server writes ass root, there is no 5% limit, so this
effectively either disables a system or makes it vulnerable to attack without
trace.  Filling a disk can trigger all kinds of exploitable errors in other
software.

.xsession-errors can also be used as a remote dos attack.  Suppose I figure
out how to make a web browser spew garbage to stdout/stderr.  Or a well
crafted spreadsheet file, whatever.  When the attacker could somehow hook
this into session startup, this can really be evil.  Note that the user will
generally NOT know about .xsession-errors.  Too much output should silently
throw the output away, it should not have any adverse effect, either by
filling up space, or hanging nor crashing applications.  That's why the
.xsession-errors handing was rather complex.

You must be careful about NFS.  GDM should be smart and try to automatically
detect NFS and never put cookies and other private data into NFS mounted home
directory.  Assume the sysadmin does not know this, it is a fair assumption
that most don't know about this problem.  It might be OK to just use /tmp for
cookies by default unless the setup is changed into home directory.

What about Xlib calls?  Note that these are blocking and I can't see how you
can do any Xlib calls in a daemon that is event based, and still expect the
daemon to not be DoSable by having it do some hanging Xlib call or getting an
Xlib call that hits a connection error (you can only longjmp out of that
mess).  Unless you implement Xlib in a nonblocking way.

What about XDMCP pinging?  This is a must for XDMCP computer labs.  Turning
off a computer or a crash means that gdm will never know that this happened
usually.  And this means the user never gets logged off without a pinging
setup, this can of course lead to either dos attacks and more generally to
very annoyed computer lab admins.

George

-- 
George <jirka 5z com>
   Religion is what keeps the poor from murdering the rich.
                       -- Napoleon

Follow-Ups:
- Re: [gdm-list] Security?
  - From: Ray Strode

References:
- Re: [gdm-list] Security?
  - From: Jiri Lebl
- Re: [gdm-list] Security?
  - From: Ray Strode

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]