Bug 49646 - Nautilus provides "DoS attacks for morons"
Nautilus provides "DoS attacks for morons"
Product: Red Hat Linux
Classification: Retired
Component: esound (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
Aaron Brown
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-07-22 15:01 EDT by Michal Jaegermann
Modified: 2007-04-18 12:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-07-23 10:08:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2001-07-22 15:01:50 EDT
Description of Problem:

Nautilus apparently opens /tmp/.esd/socket socked with
'drwxrwxrwt' permits on '.esd', 'srwxrwxrwx' on 'socket', and 
owned apparently by whomever first manged to grab it.

What imaginative names, a great spot to hide "warez" and rootkit
pieces, and an excellent opportunity for trivial denial-of-service
attacks!  I would have to think long before coming up with such
Comment 1 Havoc Pennington 2001-07-22 17:07:38 EDT
This is esound, not Nautilus. I think it may be NOTABUG but I'm not familiar
with the issues, so I'm going to let someone else close the report. In any case,
Nautilus is not involved here, it is just calling the esd library.
Comment 2 Elliot Lee 2001-07-23 12:13:23 EDT
You can already hide warez under /tmp or many of its subdirectories, so that
part is really lame.

The permissions are as intended. Certainly it's possible that there are specific
problems that indicate flaws with this design, but the permissions on this
directory are no different than those of /tmp/.X11-unix and its files, so I see
no reason to accept your weak DoS attack generalization at face value...
Comment 3 Michal Jaegermann 2001-07-23 16:03:20 EDT
> You can already hide warez under /tmp or many of its subdirectories, so that
> part is really lame.

I am not so sure.  Obviously everybody can create new directories, and with
"funny" names on the top of it, in /tmp and in a number of other places;
font directories for TeX come to mind in the first place.  But this time
a new "hidden" subdirectory with 'rwxrwxrwt' permissions
showed up automagically for me.  This 't' helps a bit but not that much.
I could be not aware of its existence for a while if not that detail
that Nautilus tripped over it for some reasons.

The DoS attack is that whomever happens to be an owner of this
/tmp/.esd/socket, and tests show that anybody can end up with this,
may change permissions on it and everybody else will have their
Nautilus desktops severly messed up.
The same if you will find some way to modify these permissions
even if you are not an owner.  I did not really think seriously
how to the later but opportunities are obvious.

I understand that an underlying problem is with 'esd' (should not that
to be gone and replaced; it was described by others as a "quick hack
with a raft of troubles") but this was Nautilus which forced that,
otherwise unused, piece on me.

Note You need to log in before you can comment on or make changes to this bug.