Re: [as-devel] AS pipes
Ethan (allanon@crystaltokyo.com)
Mon, 2 Aug 1999 14:14:03 -0700 (PDT)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---942840952-334873964-933628443=:16275
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 2 Aug 1999, Albert Dorofeev wrote:
> I was looking at the pipe that AS creates to communicate with
> the modules. It seems that the pipe allows anyone to connect
> to AS due to the permissions set on the file. Now, I do not
> know how permissions on pipes are different from the permissions
> on files. However, I would suggest, if possible, to create
> the pipe with such permissions that only the owner can read and
> write it. Alternatively, the non-configurable directory should
> be not readable/writable/searchable for anyone else than the
> owner. I see this as a serious security risk for I think you
> can ask AS to do a lot of stuff...
Hm. This is not true on my system. Here, the socket is:
srwxr-xr-x 1 root root 0 Aug 2 05:41 connect.DISPLAY=:0.0
... which doesn't allow writing by anyone except the owner (root, in
this case). I tested this by attempting to write to it as another user,
which gave me the following error:
paranor2/tmp% ascommand.pl "nop"
connect: Connection refused at ./ascommand.pl line 59.
The permissions for the intermediate directories were set to allow
writing by the user I was testing as.
I agree, though, that AfterStep can be requested to do pretty much
anything the user wants, so any chance that the socket could be abused
should be squelched. Here's a patch for ya that ensures a mode of 0700.
ChangeLog:
1.7.126 patch 2 (allanon)
o iconified windows are no longer treated as open while moving around an
AvoidCover window
o moved Tigr's iconified windows patch; ICONIFIED should take precedence
over SHADED
o module socket is now mode 0700 for better security
----
Ethan Fischer
allanon@crystaltokyo.com
http://members.xoom.com/allanon1
---942840952-334873964-933628443=:16275
Content-Type: APPLICATION/octet-stream; name="1.7.126-02-allanon-security_and_avoidcover.patch.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.95.990802141403.16275A@crystaltokyo.com>
Content-Description:
H4sICKCqpTcCAzEuNy4xMjYtMDItYWxsYW5vbi1zZWN1cml0eV9hbmRfYXZv
aWRjb3Zlci5wYXRjaADtXM1y28gRPpNP0dGuZVIkKFKyJFqKHGsl2atkLW0s
725uLAgYkLBADGtmIJK75TfKLU+QquwtOeSnKi+whxzzCOkGQAAiABFwoZI1
FVomoOmeb3p6vunpoTgwbcsC7RI0DzQBJ5Zi4lqxiWZ4QjBXbUclHTlhRlph
Z0mjrmnaSpjaG+7CiTcE2IHuwWFv73DnGfSeP39eb7Vaq9tYqr6D1XeC6i9f
gtZr70OL3l6+rMMTk1m2y2quPma1CKWuLcqtOyZqvc5Bp7dzEJdiobS5Gwla
Ger9uPS+ej9uVTCH6ZLVenGRZMLWHSqpmytcfzrS3SH7ig+zPBIJcxweyUv7
Oq8murm7m3TzLrm51yU/t4Ku78NEV8YI9Ru64+gud5v1FnCwDe7als1MmNqu
yacSdMHA5eBwbEqAEkxXKNUl8AlzYTqyHQZjfme7Q1TlnosyFxAL4OSO2+Yp
R5+HYH4LqIv139lD8VRmNOebdQQXp1eXF68uzs9AjrjnmKD0WwYTwQxmMtdg
QQs+9vWXJ2fnZyG26aE5khu3TIEt0fApFTL0SrcLFhdwwxT6ESRDL9pqXm/V
4b5HetCQuhzpzTriw+mIGbcn12+YlPqQgeF7HK1ZlrxCxrQBXcmn5AlqSdlj
xj0lAYEQyoKx7Tg2NsxdU3aWkRfG6obgYCAQwagRFlueaygkbWclDd+en5y9
Oc9iSiDJIWAgLM2+zGpEvbwZvlXhK40GJV4pNC0X7R0NAf5EDgjpcvAAWqs0
Wv8BtGp7WvEorOSk7imOjLe26c0eeoJ1bDeLTpmKOYzN1C1N4CIoy3zutg+Q
0PROjD45HWCcenXxenDyze8GZxdvGwvMZlL4Jc6U87eNoJnO6HCp4c4I28UK
dS1cno43Qo5t1FtLRf0N1APTdT6Da6a8CRh8PNZdU8N4wTAkU6CQBYYl6nKW
YyJhjvsjeYbL9x50eV7NJTfv7xyQn4MLOdr/V9g9dVBMKtiYfY4LhmXPNuAY
ZpdXl+ewuQlB0fHnujHAhV73HDUIilb6zOTGNi6VQw/jtQzDX8f4PqufOao5
/szRLu3dYjg7zw57/WSIJkZHfv4Ug/QDsRk+Jkw/EJ1hbQN1JnlMVphnJivD
bpNVw+4UTordn2wCcmYzyhVUEXoX4XYuXv+Rcvu2OMtuS3H7tiJu364tt+GM
tmHARAFyF4rbuXj9R8ltJguzjMky3GayGm6ncNaI28nXw/QusXMskpk8BmZb
dmGOWXYZZlt2NcxO4awRs9/9NP4JuFtVRpKL90gzEksUZ5koxW1REbfFOkft
b7lt2JVxOw/vkXJ7WJzbw1LcHmZxe788t4fiMWQk73i1KUkG3uPLSWyzMMts
swy3bbMabqdw/lvcrnzA8xh+4dqOPsrgdiMqevp8b9bMgWwVh+wXhKy829UP
zEeyXRXnnSrFdlUR29UnGcmhCM9/6zGpOPzrI9KUTJLn4q1OUyru7c8ikr+f
FGbZ+0kZbr+fVMPtFM467S5X/6m93O5y9R/bH1OW4jqFWeY6ZbjtOtVwO4Wz
dlnKma2yCZ5MKUolKTmI/WKIa5ujuLw463gprvOKuM7//7edyv+082lFcfhI
bk+Kx/FJqTg+qSiOT5z15Xaxr5oUJ3exr5o8mhxFFI/bolTcFhXFbbG2cfvE
wJ2gDvjGKgncD+H1HyW3vc4tt/vFqRbol2J5UKUiqmeCrc1nKf/+249/+vs/
/vjPP//1x7+UJnwG3x/E6z/Cz1Jk8e8OylLfHZSsGoLLNf7uIObMOvwkKvvu
YB7eI/0sRU0Ls0xNy3BbTavhdgrnf8ftGr2KERfV/sB/f5VmbQ5AqyhAPweg
hLE/C97NvcIMmHtleDf3quFdCmeN9n5XdxzesyKf3hXb++Xg9YvgfdoxVQpj
W6dS3BxMtoNTm53MI8vZmjnMzlauvfMY/NpzAPZhp3tIPw+fC8uBSfF6rxfz
eveAiL27OK/0me0ajmcy+KXn2lKZndGLZKGcy23LRtR0cXB2lQStJYHSqRi2
t/zTpcYIDWs0YWt7GUHNJ0xmIHtuorpUwjOUf1JWN00x8FwfKZijvWf+LO3t
tXv74bEgetkWNG5s12xYZhsaSwiw1dyko9ttkPb3jFuNdAvNJhwfI3wTfqiH
TLQmwnYVKZtMiDZsPJGH4Ln6jcPojC21tjjNi78SPjx9Ip8ewkYb3swvg/Z8
+YCEzSP/WDC+JgjHRWNjIy4yHC4Z2h6XWCaQPeHvH+iCb3RBL0lsk8aIoMa2
pFNmkozwTxI3BNPN7amwFdtmM2Z4uMm9mQOfukwAd525PzCtwGfYzItj6FK3
Wws/BsOXML3tAyc81CrkIbIydFCGnQk/Ya8h7RpIuQaWXFN2Kt8VnMh3xafx
XXoS954fdg9KTeK7lVO4t9Nt7xDv8brvn5VHPwimPOGiWz7gLGjRHLQNoHPt
9ZYugzPrgyEOIZEe4/b1d37RFh1nbwMOHN2ZahTej5g9HKlmveUPLxbBtA2j
o4BzRAusRgy4/Oarr5oBAxYGJFW0F5ajDyVsxsfkQ+2INlMcPl+TTtgPJgPf
ioj4oyVpYNcRhRzLZBZcXg0IefDFyelvXr+9+ubybFGTLLg2RCcyAAHe2cph
aEBtBK1jeAYtIA2SvOIuxqwInLnIpsRkYw7uEVN9Cs7z53ZIUWt5/QmEUYv3
WsoDtAROjzzAQLgMGI8FVoJf3BuwraAQ66MjdmArwLmZHi0qBWDLtcLSY2x6
uRpRz+ccXgSTuJ4MiM8x3SDmGxiz8DoPrlvWbHEzb9aDyBvXU/6EJ/EMm/Z1
5/7N/KiuhQzF3xP2oHWNzPGCX6XGBw5THm5GuKOPwg3ddJgenSCsL82p1Bxt
+I7aRJVNssVf2TDYB25dPMdi8SwK//ESqadYyDbceApM7j7F2OvqE+CWJQ3B
WLCGgr/ANmgsaR6cXL/lXHVcNlNHEA073R6D0l5QeTNeX30FigKbm/hL7IyT
b68uzganV9+ev202F0EaB7OGxhv0JAm/UbLSQYPQDK3muyLkYhIq9qtaHi21
NBsCkIiaK1CisVHL8ybAGTt0DhsHegparDOLxCLwSFhMer5ZwXRQPkk0iNXJ
ojlKR0m0eSS+SaL5eoF59+FQvxV7qh0qtdFW/I/L7Zjub6K4kMUoRXwKam/G
VKzl9hZFRXuKqnm9RFHhHkKNqIUGvYAuEQvbX9yp6O6G7pBatYBXEEyMKYOR
jrFmwSzNf0qJRXnZdKTjLLAF859OgppPRaQ38R+CIviYqFguhZg4usHGWF4k
j0goF0omEvr3koF92hbs7ZbIKPKQ0juD55RFt/CyEyTTfiQn9kRE4mOmxDyR
PaggZPtzLUwdZuF1vkgrFinFIqhTBUVRXMOW26Dm8S2F8C5eKRJ0gwCMfGik
k4hF1AnSAns21jFz8EMWd1mzGSW06ewjjEdaMEn8FtVy8rEQju4JoxgRSmcJ
6WzgcCMWzROieSBKpCW5dseT94f4Ns/IpEK2oUmNDGOT4gyDIT/F0lamWFpN
rcix4sYfzNTC7j0EBYt0rfZhARtnUdnO7Kbd1830VxwL086KI9xC8qEeX6KU
cTlbDE2iGbd30O7tQmv/IPyYKaftvHbDxrREY4WnynE0VbT0hOjenwLdFOfj
BTHHNO2eHxZ9XuLzvRXc39gcdNu9Hm5sDnbDjyfys0DH3/ZhFqjCmzOhD78L
Vje6/TKeraQ/FPodRia6zI9qlIzQrY2GS3uI+1BKSiZc2rRC0JIQ5EeY8jDh
whecO/D111xe4aIhbJMhLAG/Zup1gHKFiRVTEh09pglKmVvYon+dUzYZ5XDX
zMGlCHQwmbylHfAEszQ1YmHaRucMG5hYOZTocQtwX83pCWDNQ9+BW9DrwDXu
7m7n8F2Y/+F2b07VCCRcBnzwTv0/quHmIoxPAAA=
---942840952-334873964-933628443=:16275--