Skip to content

Security & code-quality findings from RustDesk maintainer review (rustdesk/rustdesk#15420) #6

Description

@fxd0h

Tracking issue for the security and code-quality findings raised in the RustDesk maintainer's security review of libdrmtap-sys 0.4.3, the privileged TCB behind rustdesk/rustdesk#15420.

The review (architecture, full audit, summary) was thorough and is appreciated. It also credited what is already in place: fail-closed/unconditional confinement (the build hard-codes HAVE_LIBCAP/HAVE_SECCOMP and assert!s the link), the PR_SET_NO_NEW_PRIVS -> drop-caps -> default-KILL seccomp sequence, the /dev/dri/ device allowlist, no injection vectors, and correct client-side bounds checks.

TCB findings (this repo)

Out of scope here (consumer-side, tracked in the RustDesk PR)

The central deployment risk — a world-executable file-capability helper on multi-user hosts — and the related packaging fixes (install root:<group> 0750 instead of 0755, gate the helper copy on the actual feature, keep drm off in default builds, document the multi-user threat model) live in the RustDesk integration, not in libdrmtap, and are being handled on the PR.

On "author-authored privileged C, minimal external scrutiny"

The review fairly noted this code is new and authored by the same person submitting the PR. Tracking these findings publicly, with attribution, is part of addressing that: the security work on the TCB should be transparent and open to review. External scrutiny of the helper is welcome.


Reported by the RustDesk maintainer (reviewing as @rustdesk) in the security review of rustdesk/rustdesk#15420.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-relevant issue or hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions