Mir

Mir server running as root does not accept connections from non-root clients

Bug #1169075 reported by Daniel van Vugt on 2013-04-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mir	Invalid	Medium	Unassigned

Bug Description

Mir server running as root does not accept connections from non-root clients.

This is going to become a problem soon. We need to run Mir as root now due to bug 1169034. However that means /tmp/mir_socket is: srwxr-xr-x 1 root root
So a client has to be running as root to connect.

Obviously we need to make it accessible to non-root clients, or make the server workable as non-root (bug 1169034).

Revision history for this message

Alexandros Frantzis (afrantzis) wrote on 2013-04-17:

This is a general problem, not specific to root. The mir socket is owned by the user starting mir and disallows writes from any other user. Making it 777 would solve this.

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-04-17:

I would suggest:
chmod 660
chgrp video

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-04-17:

Scrap that. Even the console user is not in video.

X allows access to everyone and just does its own security...
srwxrwxrwx 1 root root 0 Apr 16 09:04 /tmp/.X11-unix/X0

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-04-17:

How about this:

1. System boots.

2. System compositor starts and creates:
srwx------ root root /tmp/.mir/console (or "system" or whatever)

3. User enters login details and system compositor either creates, or instructs the session compositor to create:
srwx------ user user /tmp/.mir/session0

So only the logged in user (or root) may access the session.

Robert Ancell (robert-ancell) on 2013-05-15

Changed in mir:
status:	New → Triaged

Revision history for this message

Richard Elkins (texadactyl) wrote on 2013-10-08:

777 means that anyone can write to the socket, potentially from anywhere, and execute the contents. Don't let that "file" be executable; 666 would work better.

For access control, I would never rely on flat-file permissions. If authentication is needed [Mir team?], it would be better to use a client or mutual authentication handshake mechanism such as employing PKI and certificates signed by a CA. After authentication completes, data encryption would not be required.

Revision history for this message

Alan Griffiths (alan-griffiths) wrote on 2013-10-08:

There are three cases:

The system compositor (e.g. unity_system_compositor) needs privileged access - but doesn't export any endpoint and should be supplying a socket fd to processes it trusts (assuming that is now implemented).

A session compositor - this shouldn't need to run as root (as it should be in "nested" mode with the system compositor as host). This ought to run as the user and creates an endpoint identified to clients by $MIR_SOCKET.

Standalone Mir needs privileged access - and exports a "well known endpoint". This is the historical configuration and has the default /tmp/mir_socket with default permissions.

Revision history for this message

kevin gunn (kgunn72) wrote on 2013-10-08:

related https://bugs.launchpad.net/ubuntu/+source/mir/+bug/1236912
"please use XDG_RUNTIME_DIR instead of /tmp for mir_socket"

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2013-10-08:

See bug 1211141 for work on making the u-s-c socket private.

Alberto Aguirre (albaguirre) on 2015-12-18

Changed in mir:
status:	Triaged → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.