Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users.
In xinitrc's Xsession (RHEL4) this problem does exist: 11 # redirect errors to a file in user's home directory if we can 12 if [ -z "$GDMSESSION" ]; then 13 # GDM redirect output itself in a smarter fashion 14 errfile="$HOME/.xsession-errors" 15 if cp /dev/null "$errfile" 2> /dev/null ; then 16 chmod 600 "$errfile" 17 exec > "$errfile" 2>&1 18 else 19 errfile=$(mktemp -q /tmp/xses-$USER.XXXXXX) 20 if [ $? -eq 0 ]; then 21 exec > "$errfile" 2>&1 22 fi 23 fi 24 fi Xsession as provided in kdebase for RHEL4 is a symlink to the xinitrc-provided Xsession script. While the copy of /dev/null to ~/.xsession-errors does use the user's umask (upstream changes the umask to 077 before the copy), this is only a problem if the user's home directory is using non-default permissions (0700 is the default). So provided the user hasn't changed their home directory permissions to something insecure (which allows for exposure to potentially more damning things than ~/.xsession-errors), this shouldn't ever be exposed. RHEL5 has the upstream umask change.