Description of problem: As explained in http://mail.gnome.org/archives/gnome-hackers/2001-September/msg00176.html the /tmp/.ICE-unix/ has user:user ownership. This makes it a security issue and also delays the startup of GUI. This may be due to a libICE bug ( https://listman.redhat.com/pipermail/enigma-list/2002-June/014027.html ) but the current culprit is the /etc/rc.sysinit script which has these lines: # Delete ICE locks rm -rf /tmp/.ICE-unix Even if the ownership of /tmp/.ICE-unix is changed to root:root, at the next reboot, these directory is deleted. Now, when X is started, a new /tmp/.ICE-unix is created with non-root ownership. The worksound is to have these lines instead in /etc/rc.sysinit : # Delete ICE locks rm -rf /tmp/.ICE-unix/* chown root:root /tmp/.ICE-unix/ Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. start X 2. check ownership of /tmp/.ICE-unix 3. Actual results: Non-root ownership of /tmp/.ICE-unix/ Expected results: /tmp/.ICE-unix/ should be owned by root:root Additional info:
The same problem is present it redhat 9. Can somebody make the small change in /etc/rc.sysinit and fix this ?
We're tracking this issue in the upstream bug report: http://freedesktop.org/bugzilla/show_bug.cgi?id=306 As Jim indicates in his initial comment, the solution for this is not immediately obvious. There are a number of approaches that could be taken, each one carrying various risks to code stability. We'll follow the progress upstream on this one, and once it's resolved there, it will eventually make it into newer Red Hat OS releases once we integrate newer X.Org X11 releases. For the time being, we might as well add the following: # Delete ICE locks rm -rf /tmp/.ICE-unix mkdir -p /tmp/.ICE-unix chown root:root /tmp/.ICE-unix While it isn't a real solution, it will likely work good enough for the most part.
Bill: Do the changes I propose above look ok to you?
Hm, that almost sounds like something should just own the directory.
You probably also want to add chmod 1777 /tmp/.ICE-unix as well
Well, if the directory exists, none of the X code will ever a) remove it b) change the permissions, correct?
If we make the package own the dir, maybe it should move to /var/run/ICE/ ?
I am not quite sure that it can be moved without breaking existing applications. It is hardcoded in libICE.* and there are quite a few statically linked X11 applications :( IMHO it has to be created at boot time under /tmp/.ICE-unix. It's quite common for admins to replace the /tmp partition without backing up anything (arguably a sysadmin error) so having a package owning it won't be enough i am afraid.
I don't think it is a good idea to have package owning files in /tmp, because by definition, /tmp is temporary and it is legal to blow it away. I think it's reasonable to add a kludge to initscripts to create the dir or fix the perms if it doesn't exist though, at least until a proper solution is implemented in a future X.Org release. Egbert/Jim were working out something last I saw, but I'm not sure when it's planned to go in. I'll have to ping them about that. I think hacking the initscripts will fix the short term problem mostly "good 'nuff" so to speak. ;o)
Added in initscripts CVS, will be in 7.58-1.
Great, can you please add it in u3 for RHEL as well ?
Probably not at this time; could be queued for U4, though.
Will be in 7.31.15.EL-1 or later, whenever that is released.