[patch] make vncpasswd create ~/.vnc if it doesn't exist

Tim Waugh twaugh "at" redhat.com
Tue, 04 Sep 2001 09:39:20 +0000


On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van der Stock wrote:

> NO! NO! NO! NO!*

I know what you mean; I was horified myself to learn that the user's
.vnc directory has world execute permission.  But the passwd file has
mode 600 (see the code that creates it in the library).

I was just extending the existing convention: take a look at how the
vncserver script creates the .vnc directory.

> Do not EVER trust the environment, particularly when using sprintf() with
> bounded arrays! This is how we got into all that locale, xmcd, kerberos,
> dtmail (and so on... the list is endless) bother.

Well, to be honest, the risk here is hard to see:

* If the user's HOME environment variable is somehow changed by an
  attacker, they are in trouble anyhow since the VNC library is about
  to fopen(...,"w") the passwd file.

* Otherwise the HOME environment variable is sane, so we should worry
  about symlink attacks.  Wait---a symlink attack on a user, in their
  own home directory?  How?

> The mode of the .vnc directory should be 700 not, 755. There is no reason to
> create this directory as 755, as this allows any user to discover the user's
> VNC password.

Although the 'allows any user to discover the user's VNC password' bit
is incorrect (see above), I agree that this directory ought to be more
secure.  That requires a change to the vncserver script as well.

> Test the error result, don't just ignore it!

Where do I ignore an error result?

Thanks for the feedback.

Tim.
*/

[demime 0.97b removed an attachment of type application/pgp-signature]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------