It'd still be better if both this code and the install script are modified
to create files and directories with effectively "u=rwX,go=".
The risk from unchecked environment variables could be in the future if
someone decides to package VNC as a setuid or setgid program and trusts the
current code base (incorrectly but...) implicitly. It's easy to do the
necessary checking to prevent a buffer overrun. In my opinion, this is
doubly true of any portion of the program that is dedicated to security
management.
Yes, I was a bit hasty in my last statement. You do check the result (me
bad!).
Andrew
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tim Waugh
Sent: Tuesday, 4 September 2001 18:34
To: Andrew van der Stock
Cc: [EMAIL PROTECTED]
Subject: Re: [patch] make vncpasswd create ~/.vnc if it doesn't exist
On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van der Stock wrote:
> NO! NO! NO! NO!*
I know what you mean; I was horified myself to learn that the user's
.vnc directory has world execute permission. But the passwd file has
mode 600 (see the code that creates it in the library).
I was just extending the existing convention: take a look at how the
vncserver script creates the .vnc directory.
> Do not EVER trust the environment, particularly when using sprintf() with
> bounded arrays! This is how we got into all that locale, xmcd, kerberos,
> dtmail (and so on... the list is endless) bother.
Well, to be honest, the risk here is hard to see:
* If the user's HOME environment variable is somehow changed by an
attacker, they are in trouble anyhow since the VNC library is about
to fopen(...,"w") the passwd file.
* Otherwise the HOME environment variable is sane, so we should worry
about symlink attacks. Wait---a symlink attack on a user, in their
own home directory? How?
> The mode of the .vnc directory should be 700 not, 755. There is no reason
to
> create this directory as 755, as this allows any user to discover the
user's
> VNC password.
Although the 'allows any user to discover the user's VNC password' bit
is incorrect (see above), I agree that this directory ought to be more
secure. That requires a change to the vncserver script as well.
> Test the error result, don't just ignore it!
Where do I ignore an error result?
Thanks for the feedback.
Tim.
*/
[demime 0.97b removed an attachment of type application/pgp-signature]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
