Posted Jul 18, 2009 9:59 UTC (Sat) by i3839 (guest, #31386)
In reply to: Rootless X by jsbarnes
Parent article: Rootless X
> any remaining users of the input device nodes after that would be assumed
> to be malicious and could be killed by simply looking at the list of
> processes associated with those files.
That doesn't seem safe because it is very racy. E.g. two malicious processes ping-pong the fd via unix domain sockets. With some bad luck you either kill the wrong one or don't see the fd at all. Alternative race is dup2'ing the fd around, or simply doing a fork() at the right time.
This also needs root access, which is needed to do ownership changes anyway, but unlike changing ownership chasing processes and killing them is tricky and dangerous. Interesting exploit: Somehow letting a root process open an input device (e.g. via a symlink) and let it get killed.