/
keosd security concerns

keosd security concerns

Owned by Eric Butz
Last updated: Aug 19, 2022
1 min read

From: https://cpp.cs.cloud.vt.edu/blockchain/eosio/eosio

  • Running in a shared Unix environment. The EOSIO software stack as available for download does not appear to be designed for use in a multi-user Unix/Linux enviroment, at least not for use in a production environment. For instance, the build chain (eosio-cpp) does not support multiple users because it does not separate the names of files when compiling (e.g. /tmp/filename.cpp.o when compiling filename.cpp), which would make it vulnerable to TOCTOU attacks in shared environments.

    More importantly, the cleos tool communicates with the keosd background program through a Unix socket whose permissions allow anyone in the same Unix group as the current user to access a user's unlocked wallet, thus giving the ability to sign transactions for any accounts for which a user holds keys in their wallet.

Related content

fio-wallet (keosd) scalability discussion
fio-wallet (keosd) scalability discussion
Core Chain Development
More like this
FIO vs. EOSIO
FIO vs. EOSIO
Core Chain Development
More like this
fiojs
fiojs
Contributors DAO
More like this
Enhanced permissions
Enhanced permissions
Contributors DAO
More like this
FIO SDK - Requirements & recommended architecture
FIO SDK - Requirements & recommended architecture
Contributors DAO
More like this
[WP-485] Key and Signing Wallet - Project Plan and Budget
[WP-485] Key and Signing Wallet - Project Plan and Budget
Core Chain Development
More like this