On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van der Stock wrote:
> NO! NO! NO! NO!*
I know what you mean; I was horified myself to learn that the user's
.vnc directory has world execute permission. But the passwd file has
mode 600 (see the code that creates it in the library).
I was just extending the existing convention: take a look at how the
vncserver script creates the .vnc directory.
> Do not EVER trust the environment, particularly when using sprintf() with
> bounded arrays! This is how we got into all that locale, xmcd, kerberos,
> dtmail (and so on... the list is endless) bother.
Well, to be honest, the risk here is hard to see:
* If the user's HOME environment variable is somehow changed by an
attacker, they are in trouble anyhow since the VNC library is about
to fopen(...,"w") the passwd file.
* Otherwise the HOME environment variable is sane, so we should worry
about symlink attacks. Wait---a symlink attack on a user, in their
own home directory? How?
> The mode of the .vnc directory should be 700 not, 755. There is no reason to
> create this directory as 755, as this allows any user to discover the user's
> VNC password.
Although the 'allows any user to discover the user's VNC password' bit
is incorrect (see above), I agree that this directory ought to be more
secure. That requires a change to the vncserver script as well.
> Test the error result, don't just ignore it!
Where do I ignore an error result?
Thanks for the feedback.
Tim.
*/
[demime 0.97b removed an attachment of type application/pgp-signature]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
