Speech Dispatcher 0.7 Beta -- Please help with testing
Samuel Thibault
samuel.thibault at ens-lyon.org
Wed Apr 28 00:07:12 BST 2010
trev.saunders at gmail.com, le Tue 27 Apr 2010 14:30:39 -0400, a écrit :
> THere is a rather large local security problem with your use of unix sockets. It is very easy for a local hostile user to cause a denial of service, because you put the unix sockets in a world readable place with *very* predictable names. They are so predictable because a the only thing that the attacker has to gues is the UID of the user, and because UID's for standard users start at 1000, and are assigned in order, the attacker would only have to create say 100 files, wich with a simple shell script is trivial.
That's actually not really new, compared to the previous TCP/IP
approach.
The place (or port number) has to be well-known for applications to be
able to connect to it anyway, so any security layer needs to be added
after connection.
Samuel
More information about the Ubuntu-accessibility
mailing list