* dgod <[email protected]> [2010-06-11 03:42]: > > Firstly, the socket is created in /tmp with a well known name > > allowing for a simple DOS attack, any user can just mkdir > > /tmp/lxdm.sock and lxdm won't start any more. > > > > Secondly, it does try to unlink before binding the socket which > > leads to a race condition creating another possibility for DOS > > attacks. > > > > maybe move the lxdm.sock to /var/run path helpful? or just use anonymous > socket?
Well yeah, any directory which is owned and only writable to root. If you're not coming from a Unix background please read up on the Unix filesystem permissions model. > > > > Thirdly, the socket is created world writable so any user can > > just delete it anyway. > > > I want to make it anyone can writable, so make it anonymous too ? or maybe > other method Why would you want to do that? > > Avoiding this is Unix system programming 101 so my only > > suggestion (as I have stated before) is to use an anonymous pipe > > for signal handling (i.e. the self-pipe trick) and get rid of the > > socket altogether. For IPC there are better methods such as > > DBus. While I acknowledge that the code is under development, > > stuff like this should IMO never go into a public repository. > > > use pipe will take two file descriptors, as glib in child watch code > already introduce the two pipe and a > thread, I don't think they are good. I don't see the problem with that approach, it is used by many glib/gtk applications even GDM. Have a look at GDM's signal handling code if you need some inspiration on how to implement this. > I'don want to depend on dbus, the lxdm's goal is to work with no dependency > not necceary. DBus is nowadays a low-level dependency (whether one likes it or not). -- Guido Berhoerster ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Lxde-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxde-list
