wineserver socket file and DOS attacks

Maarten Lankhorst m.b.lankhorst at gmail.com
Wed Apr 30 13:45:15 CDT 2008 

Hello Steven,

2008/4/30 Steven Elliott <selliott4 at austin.rr.com>:
> I have some concerns about the location of the socket file that
>  wineserver uses.  Since by default the current location is in /tmp my
>  concern is that anyone can stop anyone else from using wine just by
>  creating a directory named /tmp/.wine-500.
>
>  As far as I know the only risk is denial of service in nature since wine
>  seems to be smart enough to make sure the /tmp/.wine-500 is owned by the
>  user invoking the wine application:
>     > notepad
>     wineserver: /tmp/.wine-500 is not owned by you
>
>  Previously the socket file was under ~/.wine.  I found this which
>  briefly documents the change here:
>     http://www.winehq.org/site/docs/winedev-guide/x2584
>  under section "7.3.2. The Wine server" it says:
>
>  "In earlier versions of Wine the master socket mentioned above was
>  actually created in the configuration directory; either your home
>  directory's /wine subdirectory or wherever the WINEPREFIX environment
>  variable points. Since that might not be possible the socket is actually
>  created within the /tmp directory with a name that reflects the
>  configuration directory."
>
>  /tmp/.wine-<user Id> is hard coded in libs/wine/config.c, so that aspect
>  of the socket file location is not configurable.
>
>  Anyway, have alternatives such as the following been considered?:
>
>  1) Create the socket file in ~/.wine (or wherever WINEPREFIX points)
>  like wine used to if the user's home directory exists and is writable.
>  Use /tmp/.wine-<user Id> as a fallback.
>
>  2) Append some additional integer to /tmp/.wine-<user Id> that is
>  incremented if that directory already exists and is owned by someone
>  else.  For example,  if /tmp/.wine-500 already exists for user 500 but
>  is owned by someone else then both wineserver and the wine application
>  would append "-1" and then keep incrementing:
>     /tmp/.wine-500
>     /tmp/.wine-500-1
>     /tmp/.wine-500-2
The latter won't work, they could create the directory and then delete
it after wineserver started. I don't think it is really a problem, by
the time someone else can put that directory in /tmp chances are that
they can do a lot more malicious things then just making Wine refuse
to run.

Cheers,
Maarten.

More information about the wine-devel mailing list