Red Hat Bugzilla – Bug 49646
Nautilus provides "DoS attacks for morons"
Last modified: 2007-04-18 12:35:00 EDT
Description of Problem:
Nautilus apparently opens /tmp/.esd/socket socked with
'drwxrwxrwt' permits on '.esd', 'srwxrwxrwx' on 'socket', and
owned apparently by whomever first manged to grab it.
What imaginative names, a great spot to hide "warez" and rootkit
pieces, and an excellent opportunity for trivial denial-of-service
attacks! I would have to think long before coming up with such
This is esound, not Nautilus. I think it may be NOTABUG but I'm not familiar
with the issues, so I'm going to let someone else close the report. In any case,
Nautilus is not involved here, it is just calling the esd library.
You can already hide warez under /tmp or many of its subdirectories, so that
part is really lame.
The permissions are as intended. Certainly it's possible that there are specific
problems that indicate flaws with this design, but the permissions on this
directory are no different than those of /tmp/.X11-unix and its files, so I see
no reason to accept your weak DoS attack generalization at face value...
> You can already hide warez under /tmp or many of its subdirectories, so that
> part is really lame.
I am not so sure. Obviously everybody can create new directories, and with
"funny" names on the top of it, in /tmp and in a number of other places;
font directories for TeX come to mind in the first place. But this time
a new "hidden" subdirectory with 'rwxrwxrwt' permissions
showed up automagically for me. This 't' helps a bit but not that much.
I could be not aware of its existence for a while if not that detail
that Nautilus tripped over it for some reasons.
The DoS attack is that whomever happens to be an owner of this
/tmp/.esd/socket, and tests show that anybody can end up with this,
may change permissions on it and everybody else will have their
Nautilus desktops severly messed up.
The same if you will find some way to modify these permissions
even if you are not an owner. I did not really think seriously
how to the later but opportunities are obvious.
I understand that an underlying problem is with 'esd' (should not that
to be gone and replaced; it was described by others as a "quick hack
with a raft of troubles") but this was Nautilus which forced that,
otherwise unused, piece on me.