From kde-devel  Tue Dec 27 19:36:45 2005
From: "Joshua J. Berry" <des () condordes ! net>
Date: Tue, 27 Dec 2005 19:36:45 +0000
To: kde-devel
Subject: Re: One Way to Increase KDE security
Message-Id: <43B197CD.7060005 () condordes ! net>
X-MARC-Message: https://marc.info/?l=kde-devel&m=113571918020548

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Feustel wrote:
> 'threat' implies *potential* or *possible* damage. The unused socket could
> possibly be used to cause damage.

No, it couldn't.  If the socket is unused, that implies there are no
applications listening on that socket.  If there are no applications
listening on that socket, it can't be a security threat, because (a) there
is nothing on the other end that could be exploited, and (b) you can't even
open the socket in the first place.

If you need to satisfy yourself that (b) is correct, here's a Perl script
for you:

- -----
#!/usr/bin/perl

use IO::Socket;

# Create the socket.
$s = new IO::Socket::UNIX(Local => 'foo.socket', Listen => 1);
die "Couldn't create socket: $!" if ! $s;

# Close it, so nothing is listening on it anymore.
$s->close;

# Now that the socket is closed, we shouldn't be able to open it again.
$s = new IO::Socket::UNIX(Peer => 'foo.socket');
die "Couldn't open socket: $!" if ! $s;

$s->print("This is a test of the emergency broadcasting system.\n");
- -----

If (b) is correct, this program will exit with the error message: "Couldn't
open socket: connection refused" (or some similar error message).  Even if
(b) isn't correct for your platform (though I can't imagine why it wouldn't
be), (a) is still true -- there's nothing on the other end of the socket to
exploit.

One of your basic assumptions about UNIX sockets is wrong, hence Thiago's
comment about deleting random files to improve security.

I suggest you check the rest of your assumptions before immediately jumping
to the conclusion that you have a breach of security.  All the behavior you
have described thus far sounds like it would be caused by some automated
script that runs as part of OpenBSD.


- --
Joshua J. Berry

"I haven't lost my mind -- it's backed up on tape somewhere."
    -- /usr/games/fortune
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDsZfNaIxeYlQMsxsRAi3IAJsFQW+GS+CfBebWapvOVlgQfp/DzACfX00+
8HMHMWwTFUQa6UyOqS8qgX8=
=AFPQ
-----END PGP SIGNATURE-----
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<