14.6. ToolTalk
ToolTalk
is yet another distributed object system. It is part of the Common
Desktop Environment (CDE), a standard produced by a consortium of
Unix vendors, which allows desktop tools to communicate with each
other. For instance, ToolTalk enables you to drag objects from one
application to another with the expected results, and allows multiple
applications to keep track of changes to the same file.
Applications using ToolTalk do not communicate with each other
directly. Instead, communications are handled by two kinds of
ToolTalk servers. A session server, called
ttsession, handles messages that concern
processes, while an object server, called
rpc.ttdbserverd, handles messages that concern
objects. Applications register with the appropriate ToolTalk servers
to tell them what kinds of messages they are interested in. When an
application has a message to send, it sends the message to the
appropriate ToolTalk server, which redistributes it to any interested
applications and returns any replies to the sending application.
Session servers group together related processes (for instance, all
the programs started by a given user will normally be part of one
session), and multiple session servers may run on the same machine.
rpc.ttdbserverd is started from inetd
and runs as root, while ttsession is
started up as needed and runs as the user that started it. Often,
ttsession will be started when a user logs in,
but that's not required; if an application wants to use
ToolTalk but no ttsession is available, one will
be started up.
ToolTalk is based on Sun RPC. Although ToolTalk provides a range of
authentication mechanisms, most ToolTalk implementations use the
simplest one, which authorizes requests based on the unauthenticated
Unix user information embedded in the request. This is completely
forgeable. In addition, there have been a variety of security
problems with the ToolTalk implementation, including buffer overflow
problems in rpc.ttdbserverd and in the ToolTalk
client libraries. Several of these problems have allowed remote
attackers to run arbitrary programs as root.
14.6.1. Summary of Recommendations for ToolTalk
- Do not allow RPC through your firewall; since ToolTalk is built on
Sun RPC, this will prevent it from crossing the firewall.
- Remove ToolTalk from bastion host machines (this will remove some
desktop functionality, but ideally you should remove all of the
graphical user interface and desktop tools anyway).
| | |
14.5. Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol | | 14.7. Transport Layer Security (TLS) and Secure Socket Layer |