Re: UNIX domain socket (Solarisx86 2.5)

Joel Murphy (jmurphy@CNU.ACSU.BUFFALO.EDU)
Tue, 20 May 1997 14:58:36 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Darren Moffat: "Re: AIX 4.2 dtterm exploit"
Previous message: Georgi Guninski: "AIX 4.2 dtterm exploit"
Maybe in reply to: Thamer Al-Herbish: "UNIX domain socket (Solarisx86 2.5)"
Next in thread: Casper Dik: "Re: UNIX domain socket (Solarisx86 2.5)"

>
> On Solarisx86 2.5 I was able to connect to a unix domain socket,
> *regardless* of permissions. After posting about it on a solaris usenet
> group the only recommendation anyone gave me was to create it in an
> unreadable directory. So the attacker would have to guess its name.
> Still *anyone* could of connected to that domain socket, and fed my
> application bogus data.

same with sparc. Solaris uses a loopback device (/dev/ticotsord) and
streams for emulating unix domain sockets.

recently, I've been trying to write some code that would give me the
user id of the person at the other end of a unix socket or tli
connection, but I haven't had much luck. The only way I think I could
to this would be to poke around in the kernel structures for the tl
device, which I really don't want to do. The undocumented door calls
seem to provide authentication information, but that would be a worse.
Oh, well. Anyone have any ideas?

There might even be a way around the directory permissions. I don't
know if the tl device is looking at the file, or the socket emulation
code in the client is trying to be clever.

Joel Murphy

Next message: Darren Moffat: "Re: AIX 4.2 dtterm exploit"
Previous message: Georgi Guninski: "AIX 4.2 dtterm exploit"
Maybe in reply to: Thamer Al-Herbish: "UNIX domain socket (Solarisx86 2.5)"
Next in thread: Casper Dik: "Re: UNIX domain socket (Solarisx86 2.5)"