Re: ORBit2 problem with /tmp

From: Frederic Crozat <fcrozat mandrakesoft com>
To: orbit <orbit-list gnome org>
Subject: Re: ORBit2 problem with /tmp
Date: 30 Aug 2002 16:52:54 +0200

Le mar 27/08/2002 à 15:31, Michael Meeks a écrit :
> 
> On Tue, 2002-08-27 at 10:10, Frederic Crozat wrote:
> > This is a forward of a mail I sent to Michael yesterday.
> 
> 	My reply is in-line.
> 
> Hi Frederic,
> 
> On Mon, 2002-08-26 at 18:21, Frederic Crozat wrote:
> > as part of our tests for Mandrake 9.0, we have discovered that ORBit2
> > doesn't work correctly (it crashes) when a Mandrake system is set to
> > security level 5 (a lot of things are not permitted for normal
> users..)
> 
>         Fair enough.
> 
> > After some investigations, it seems ORBit2 doesn't like at all when
> /tmp
> > is not readable by everyone (security level 5 enforces /tmp not
> readable
> > by users).. 
> 
>         Oh; hmm.
> 
> > I've look quickly to ORBit2 code and it seems the scan_socket_dir is
> the
> > guilty method.. Since I'm not sure how to fix this problem cleanly (ie
> > without regression in ORBit behavior), I prefer to ask you :)
> 
>         Ok - the reason it scans the directory is this:
> 
>         a) We used to use /tmp/orbit-$USER
>         b) It's possible to create that directory, and it not be owned
>            by the user, thus total denial of service for Gnome stuff.
>         c) So, we need to scan and create iterative random directories
>            until we get one with the right permissions, also - it's 
>            vital that all other apps share this same directory.
> 
>         So - in order to stop a race condition, and communicate the new
> name to
> avoid a denial of service (still present in the 1.4 stuff) - we have to
> do the scan.
> 
>         There are a couple of possible solutions:
> 
>         a) Write some code for linc/ORBit2 to use the 'virtual' unix 
>            socket namespace, this would be neater for cleanup, but we 
>            can't rely on the unix permissions at bind time - so we'd 
>            have to add some user authentication stuff - which would be
>            good anyway.
> 
>         b) Bin the denial of service workaround stuff - you'll still be
>            vulnerable, but ... [ perhaps you can do this - only in 
>            security level 5 (looks like an own goal there) ]
> 
>         apart from that I'm pretty stuck; Dick can help you with a)
> there was a
> bug filed against it, but  think it might be filed against ORBit instead
> of ORBit2 - so I'm not seeing it ;-)

Ok, here is a workaround which prevent ORBit2 to crash when /tmp is not
readable and will work when /tmp/orbit-$USER is available.. Not perfect
but better than nothing..

Release team, do you thing we should add it to stable branch ? (I think
so..)

-- 
Frederic Crozat
MandrakeSoft

--- ORBit2-2.4.1/src/orb/GIOP/giop.c.tmpdir	2002-06-25 17:09:02.000000000 +0200
+++ ORBit2-2.4.1/src/orb/GIOP/giop.c	2002-08-30 16:26:32.000000000 +0200
@@ -62,6 +62,18 @@
 	g_return_val_if_fail (prefix != NULL, NULL);
 	
 	dirh = opendir (dir);
+	/* prevent crash if dir is not readable */
+	if (!dirh) { /* try prefix, just in case.. */
+	  cur_dir = g_strconcat (dir, "/", prefix, NULL);
+	  if (test_safe_socket_dir (cur_dir)) {
+	    return cur_dir;
+	  }
+	  else {
+	    g_free (cur_dir);
+	    return NULL;
+	  }
+	}
+
 	prefix_len = strlen (prefix);
 
 	while ((dent = readdir (dirh))) {

References:
- ORBit2 problem with /tmp
  - From: Frederic Crozat
- Re: ORBit2 problem with /tmp
  - From: Michael Meeks

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]