GNU screen [PSARC/2008/413 FastTrack timeout 07/14/2008]
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jul 2 09:36:43 PDT 2008
On Wed, Jul 02, 2008 at 11:35:15AM -0500, Nicolas Williams wrote:
> On Wed, Jul 02, 2008 at 10:59:03AM +0100, Brian Ruthven - Sun UK wrote:
> > However, this seems like a very simple DoS attack to me. It's obvious
> > what the problem is (thankfully, the error messages are meaningful), but
> > still requires manual intervention to fix the problem. What steps could
> > be taken to prevent this? (if it is even worth preventing in the first
> > place)
>
> We have this attack for lots of other things, sadly.
>
> > I'll offer the following for consideration:
> > Could the socket dir be located under, e.g. /var/run instead?
> > I hesitantly also suggest a new tmpfs filesystem, something like
> > /var/screens.
> > The solution of Solaris creating the directory every bootup seems
> > like a bit of a hack to me, but I'll mention it anyway :-)
>
> IMO the correct solution is for a PAM module (pam_unix_session) to
> mktemp a user's TMPDIR the first time the user logs in since boot. The
> module should record this TMPDIR so that the user gets the same TMPDIR
> on subsequent logins whenever possible (e.g., whenever the TMPDIR is
> still owned by the user). The module should set that environment
> variable.
>
> And then screen could use $TMPDIR/screens as the socket dir.
I forgot to say: not this case.
The point is: I don't mind if screen uses /tmp/S-$USER even though
that's DoSeable -- the user can always specify a SCREENDIR to screen. I
also don't mind if it uses $HOME/.screens.
Nico
--
More information about the opensolaris-arc
mailing list