The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
In xinitrc's Xsession (RHEL4) this doesn't seem to be a problem as we use mktemp. and this is only if ~/.xsession-errors cannot be written for some reason: 11 # redirect errors to a file in user's home directory if we can 12 if [ -z "$GDMSESSION" ]; then 13 # GDM redirect output itself in a smarter fashion 14 errfile="$HOME/.xsession-errors" 15 if cp /dev/null "$errfile" 2> /dev/null ; then 16 chmod 600 "$errfile" 17 exec > "$errfile" 2>&1 18 else 19 errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX) 20 if [ $? -eq 0 ]; then 21 exec > "$errfile" 2>&1 22 fi 23 fi 24 fi Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided Xsession script. While the copy of /dev/null to ~/.xsession-errors does use the user's umask (upstream changes the umask to 077 before the copy), this is only a problem if the user's home directory is using non-default permissions (0700 is the default). Using mktemp makes the file 600 regardless of umask: % mktemp -q /tmp/xses-$USER.XXXXXX /tmp/xses-vdanen.pe8701 % ls -al /tmp/xses-vdanen.pe8701 -rw------- 1 vdanen vdanen 0 Dec 22 11:30 /tmp/xses-vdanen.pe8701 % umask 022 % umask 077 % mktemp -q /tmp/xses-$USER.XXXXXX /tmp/xses-vdanen.iv8733 % ls -al /tmp/xses-vdanen.iv8733 -rw------- 1 vdanen vdanen 0 Dec 22 11:31 /tmp/xses-vdanen.iv8733 So provided the user hasn't changed their home directory permissions to something insecure (which allows for exposure to potentially more damning things than ~/.xsession-errors), I would not consider this a flaw on RHEL4 or later.