New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/tmp/fishd.socket.user permissions checking (CVE-2014-2905) #1436
Comments
|
In fixing this issue, I went with I decided against manipulating umask, checking permissions or checking socket owners because none of those are guaranteed to be respected by the socket API - in particular, on Solaris, anyone can connect to a socket filename regardless of owner or file mode. |
|
It has been pointed out that this probably isn't a sufficient fix; there is no verification that there is a fishd process is at the other end, and so a symlink can be used to cause fish to talk the fish protocol to other sockets owned by the same user - such as a program which may not be expecting fish input.
I think, unfortunately, we are going to have to move the socket path, and I don't think there's any way of falling back to the old path securely, so this will require a restart of all running fish instances before universal variables work. |
|
I saw @ridiculousfish's work on death_of_fishd branch. Wouldn't that solve the issue since fishd would be gone (if I get it right)? |
|
Yes, but that is not yet ready and is a intrusive change that may not be suitable for a point release. |
|
That makes sense. |
|
I dropped the ball on this a bit but I think it's time to get the fix out. My plan at present is to move the socket path entirely, using a secure path like tmux, and give up on The problem with moving the path is that it is possible to have two versions of The options are:
|
|
A |
|
OK, I've added this in 4cb4fc3, review would be much appreciated. |
|
Thanks zanchey, overall this looks very solid. Two suggestions:
|
|
OK, I've made those and a couple of other changes in zanchey/fish-shell@2b5cd21c337a8990c0c343ab2. Does that look ok? |
|
If there's no other problems, I'm hoping to roll the 2.1.1 release in about 48 hours time. |
This reverts commit aea9ad4. Just checking the credentials of the peer turns out to be insufficient. See fish-shell#1436.
Neither fish nor fishd check the credentials of processes communicating over the fishd universal variable server UNIX domain socket.
The text was updated successfully, but these errors were encountered: