OoO En ce début d'après-midi nuageux du mardi 17 janvier 2012, vers 14:43, Petter Reinholdtsen <p...@hungry.com> disait :
> Package: xrdp > Version: 0.5.0~20100303cvs-6 > Tags: security > Severity: important > User: debian-...@lists.debian.org > Usertags: debian-edu > I discovered this on Debian Edu/Squeeze, and it made me wonder if there > is some security risk involved here. > When starting xrdp, the following files are created in /tmp/: > srwxr-xr-x 1 xrdp xrdp 0 16 jan. 09:49 > /tmp/xrdp_000007ba_listen_pro_done_event > srwxr-xr-x 1 xrdp xrdp 0 16 jan. 09:49 /tmp/xrdp_000007ba_main_sync > srwxr-xr-x 1 xrdp xrdp 0 16 jan. 09:49 /tmp/xrdp_000007ba_main_term > srwxr-xr-x 1 root root 0 16 jan. 09:49 /tmp/xrdp_sesman_000007cc_main_sync > srwxr-xr-x 1 root root 0 16 jan. 09:49 /tmp/xrdp_sesman_000007cc_main_term > The file names seem to be predictable, and unless much care is taken > when the files are created, this could be a security risk. Is this a > security issue, or is it harmless? The issue is harmless. It is not possible to exploit symlink attacks with Unix sockets. You'll get a "Address already in use" error when trying to do so. Also, I am unsure if the names matter. For example, a predictable name could be used to allow unrelated processes to find each other. Looking at the source code, this does not seem the case. > In any case, it would be nice if these sockets could be moved elsewhere, > either into a subdirectory like /tmp/xrdp/ or into /var/run/. I assume > they should not be automatically cleaned out by the jobs that might > remove old files from /tmp/ from time to time. Yes, in /run/xrdp. I am making a patch for this. This will also solve the "security" issue (since it could be possible to a DoS attack). -- Vincent Bernat ☯ http://vincent.bernat.im Make sure special cases are truly special. - The Elements of Programming Style (Kernighan & Plauger)
pgp5krBcIful2.pgp
Description: PGP signature