[patch] make vncpasswd create ~/.vnc if it doesn't exist

Andrew van der Stock ajv "at" greebo.net
Wed, 05 Sep 2001 01:04:29 +0000


It'd still be better if both this code and the install script are modified
to create files and directories with effectively "u=rwX,go=".

The risk from unchecked environment variables could be in the future if
someone decides to package VNC as a setuid or setgid program and trusts the
current code base (incorrectly but...) implicitly. It's easy to do the
necessary checking to prevent a buffer overrun. In my opinion, this is
doubly true of any portion of the program that is dedicated to security
management.

Yes, I was a bit hasty in my last statement. You do check the result (me
bad!).

Andrew

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Tim Waugh
Sent: Tuesday, 4 September 2001 18:34
To: Andrew van der Stock
Cc: vnc-list "at" uk.research.att.com
Subject: Re: [patch] make vncpasswd create ~/.vnc if it doesn't exist


On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van der Stock wrote:

> NO! NO! NO! NO!*

I know what you mean; I was horified myself to learn that the user's
.vnc directory has world execute permission.  But the passwd file has
mode 600 (see the code that creates it in the library).

I was just extending the existing convention: take a look at how the
vncserver script creates the .vnc directory.

> Do not EVER trust the environment, particularly when using sprintf() with
> bounded arrays! This is how we got into all that locale, xmcd, kerberos,
> dtmail (and so on... the list is endless) bother.

Well, to be honest, the risk here is hard to see:

* If the user's HOME environment variable is somehow changed by an
  attacker, they are in trouble anyhow since the VNC library is about
  to fopen(...,"w") the passwd file.

* Otherwise the HOME environment variable is sane, so we should worry
  about symlink attacks.  Wait---a symlink attack on a user, in their
  own home directory?  How?

> The mode of the .vnc directory should be 700 not, 755. There is no reason
to
> create this directory as 755, as this allows any user to discover the
user's
> VNC password.

Although the 'allows any user to discover the user's VNC password' bit
is incorrect (see above), I agree that this directory ought to be more
secure.  That requires a change to the vncserver script as well.

> Test the error result, don't just ignore it!

Where do I ignore an error result?

Thanks for the feedback.

Tim.
*/

[demime 0.97b removed an attachment of type application/pgp-signature]
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------