On Wed, 2011-01-05 at 11:12 -0500, Adam Jackson wrote:
The deeper problem is that clients authenticate themselves to the server, but then simply trust that the server is the server they were hoping for. If you don't have a process tree relationship (like the gdm +displayfd case) then you have to go all the way to something like Kerberos for that kind of bidirectional auth.
Not quite: you can use the xauth cookie as a pre-shared key.
Simply moving back to filesystem sockets does not solve that -
Right; what solves it is putting the socket in a place that is writable only by the user running the server.
and indeed, has _more_ DoS conditions than abstract sockets since they don't get garbage-collected on system crash
They do if you use a tmpfs (e.g., /var/run with systemd), but in any event it's easy enough to unlink the socket or try another name. The more significant DoS condition is another user taking the name you want, which can happen in the abstract namespace but not in a directory only you can write.