lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+qbEUOoEDwgWWfqfpX_D1uaCk2poDgnJS5STguZ=Qbovq=XSA@mail.gmail.com>
Date:	Mon, 20 Aug 2012 11:42:27 -0700
From:	Colin McCabe <cmccabe@...mni.cmu.edu>
To:	linux-man@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Documenting UNIX domain autobind

> Hello Tetsuo,
>
> I'm the Linux man-pages mainatiner. I write to you because I see that
> you recently (http://kerneltrap.org/mailarchive/linux-netdev/2010/8/30/6284106/thread#mid-6284106)
> did some work patchiing Linux unix_autobind(), so you may know the
> answer to this question. But, also others on the CC may know.
>
> I recently noticed this feature in the kernel, and so added some
> documentation to the unix(7) man page. That text reads as follows:
>
>   Autobind Feature
>       If a bind() call specifies addrlen as  sizeof(sa_family_t),  or
>       the  SO_PASSCRED  socket option was specified for a socket that
>       was not explicitly bound to an  address,  then  the  socket  is
>       autobound  to  an  abstract address.  The address consists of a
>       null byte followed by 5 bytes in the  character  set  [0-9a-f].
>       (Thus, there is a limit of 2^20 autobind addresses.)
>
> I think this text correctly documents the technical details (but let
> me know if you see errors). What is lacking is an explanation of why
> this feature exists. Is someone able to explain where this feature is
> used and why?
>
> thanks,
>
> Michael

I wasn't involved in developing this feature, but as someone who has
used UNIX domain sockets in the past, I think I can comment on this.

As you know, you have to bind every UNIX domain socket to a unique
identifier.  In Linux, this can be either a path or an entry in the
abstract namespace.  Either way, if you try to use an identifier that
someone is already using, it won't work.  If autobind did not exist,
you could write a loop to try random identifers until you get one that
works.  With autobind, you don't have to write this code and risk
getting it wrong.

Another consideration is that autobind gives you a guarantee that
you're not using an identifier that someone else has chosen.  Without
this guarantee, it's possible that the random-ish identifer you chose
will conflict with another process on the system.  One man's randomly
chosen string is another man's carefully-chosen identifier.  Autobind
eliminates this risk completely.

It would be nice to see some discussion in the man pages about the
potential security issues of using UNIX domain sockets.  For example,
if you create a UNIX domain socket under /tmp, a malicious process
could move it out of the way and create its own socket there,
effectively performing a man-in-the-middle attack on you.  If you
create a socket under /tmp that is named predictably (like
/tmp/my-program-name), a malicious process could create a
denial-of-service by creating a socket or other entry in that
position.  These issues can be avoided by using the abstract
namespace, or using a well-known and secure path for UNIX domain
sockets.  However, a novice wouldn't necessarily know that he needed
to do that.

cheers,
Colin McCabe
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ