wineserver socket file and DOS attacks
m.b.lankhorst at gmail.com
Wed Apr 30 19:45:00 CDT 2008
2008/4/30 Ove Kaaven <ovek at arcticnet.no>:
> Maarten Lankhorst skrev:
> > The latter won't work, they could create the directory and then delete
> > it after wineserver started. I don't think it is really a problem, by
> > the time someone else can put that directory in /tmp chances are that
> > they can do a lot more malicious things then just making Wine refuse
> > to run.
> Like what? The UNIX user/permission system, including the sticky bit used
> on /tmp, is supposed to protect local users against each other, but this is
> contingent on files created in /tmp using unique names (like what mktemp
> generates). There's very little else malicious people can do if the system
> is otherwise properly set up in a secure fashion, and this socket-in-/tmp
> thing sounds like a quite legitimate concern.
Wine checks ownership of the socket and directory, so race conditions
aren't really a problem. This means that despite being put in a public
directory there is no chance of a race condition. I don't see a
security risk here, if someone is evil they could create that
directory so wine wouldn't run, but that harm is only restricted to
'wine does not start'.
More information about the wine-devel