Date: Sun, 9 Jul 2017 23:21:22 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Johannes Lundberg <johalun0@gmail.com> Cc: Stefan Ehmann <shoesoft@gmx.net>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: Getting PID of socket client Message-ID: <20170709212122.GB51240@stack.nl> In-Reply-To: <CAECmPwt0Un076DT8SHVDFi-ygdfqOWU6hH1cHejn0vNmr4A9Jg@mail.gmail.com> References: <CAECmPwsD=PYqoG9EA=Wyq16hcrdbf7SQ3Owxdf%2BWSvYWazJfXA@mail.gmail.com> <a42d8db6-675f-b021-fc50-6ef87d310623@gmx.net> <CAECmPwuAm%2Bn6DyFR01OgatxN9Jj3um-50jOpP0jeB4=N%2Bj=yxg@mail.gmail.com> <684e8346-c4a8-a0c5-cb2a-cd5159d2af1c@gmx.net> <CAECmPwt0Un076DT8SHVDFi-ygdfqOWU6hH1cHejn0vNmr4A9Jg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 09, 2017 at 02:07:06PM +0000, Johannes Lundberg wrote: > That code gets the child's pid from the fork command. That's is not > available in my case (Wayland client connects to Wayland server via unix > socket). > I can understand the security issue.. hmm will dig further tomorrow.. It seems like what Wayland wants is not a security feature, but a feature to prevent people from building things that will not work in a future more secure world. In this future world, operations like making a screenshot would be privileged. Even if the PID race is solved, it remains trivial to fake the check (for example, fork a process that sends the initial message and then immediately execs a "privileged" binary, or use ptrace to attach to a "privileged" binary or launch a new copy of a "privileged" binary). With regard to security, it would be equivalent to have the client send the name of its binary to the server. Putting this into a low-level Wayland library would deter people from faking the check to do things that will not work in the future more secure world. I don't know how invasive this would be, though. One possible implementation of the future more secure world would be per-application UIDs a la Android. Another one would be Capsicum-sandboxed applications where applications receive their Wayland sockets pre-connected by code that tells the Wayland server the application identity. -- Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170709212122.GB51240>