Bug 230008 (CVE-2006-5215)

Summary: CVE-2006-5215 xdm symlink attack
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 18:34:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 210312    
Bug Blocks:    

Description Josh Bressers 2007-02-25 19:50:17 UTC 
The Xsession script, as used by X Display Manager (xdm) in NetBSD before
20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006,
allows local users to overwrite arbitrary files, or read another user's Xsession
errors file, via a symlink attack on a /tmp/xses-$USER file.
Comment 1 Vincent Danen 2010-12-22 18:34:13 UTC 
In xinitrc's Xsession (RHEL4) this doesn't seem to be a problem as we use mktemp. and this is only if ~/.xsession-errors cannot be written for some reason:

11 # redirect errors to a file in user's home directory if we can
12 if [ -z "$GDMSESSION" ]; then
13     # GDM redirect output itself in a smarter fashion
14     errfile="$HOME/.xsession-errors"
15     if cp /dev/null "$errfile" 2> /dev/null ; then
16         chmod 600 "$errfile"
17         exec > "$errfile" 2>&1
18     else
19         errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX)                                                                                                                                                  
20         if [ $? -eq 0 ]; then
21             exec > "$errfile" 2>&1
22         fi
23     fi
24 fi

Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided Xsession script.

While the copy of /dev/null to ~/.xsession-errors does use the user's umask (upstream changes the umask to 077 before the copy), this is only a problem if the user's home directory is using non-default permissions (0700 is the default).

Using mktemp makes the file 600 regardless of umask:

% mktemp -q /tmp/xses-$USER.XXXXXX
/tmp/xses-vdanen.pe8701
% ls -al /tmp/xses-vdanen.pe8701
-rw-------  1 vdanen vdanen 0 Dec 22 11:30 /tmp/xses-vdanen.pe8701
% umask
022
% umask 077
% mktemp -q /tmp/xses-$USER.XXXXXX
/tmp/xses-vdanen.iv8733
% ls -al /tmp/xses-vdanen.iv8733
-rw-------  1 vdanen vdanen 0 Dec 22 11:31 /tmp/xses-vdanen.iv8733

So provided the user hasn't changed their home directory permissions to something insecure (which allows for exposure to potentially more damning things than ~/.xsession-errors), I would not consider this a flaw on RHEL4 or later.