[4527] in bugtraq
Re: UNIX domain socket (Solarisx86 2.5)
daemon@ATHENA.MIT.EDU (Joel Murphy)
Wed May 21 00:54:15 1997
Date: Tue, 20 May 1997 14:58:36 -0400
Reply-To: Joel Murphy <jmurphy@CNU.ACSU.BUFFALO.EDU>
From: Joel Murphy <jmurphy@CNU.ACSU.BUFFALO.EDU>
X-To: shadows@whitefang.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.95q.970517113739.8196D-100000@whatever.kuwait.net>
from "Thamer Al-Herbish" at May 17, 97 11:43:47 am
>
> On Solarisx86 2.5 I was able to connect to a unix domain socket,
> *regardless* of permissions. After posting about it on a solaris usenet
> group the only recommendation anyone gave me was to create it in an
> unreadable directory. So the attacker would have to guess its name.
> Still *anyone* could of connected to that domain socket, and fed my
> application bogus data.
same with sparc. Solaris uses a loopback device (/dev/ticotsord) and
streams for emulating unix domain sockets.
recently, I've been trying to write some code that would give me the
user id of the person at the other end of a unix socket or tli
connection, but I haven't had much luck. The only way I think I could
to this would be to poke around in the kernel structures for the tl
device, which I really don't want to do. The undocumented door calls
seem to provide authentication information, but that would be a worse.
Oh, well. Anyone have any ideas?
There might even be a way around the directory permissions. I don't
know if the tl device is looking at the file, or the socket emulation
code in the client is trying to be clever.
Joel Murphy
