Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way. systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory. Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d. This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0). Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions. Acknowledgements: Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective. http://cgit.freedesktop.org/systemd/systemd/commit/?id=fc3c1c6e091ea16ad5600b145201ec535bbb5d7c
This is public now: http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00030.html
SUSE bug report: https://bugzilla.novell.com/show_bug.cgi?id=747154
Created systemd tracking bugs for this issue Affects: fedora-all [bug 799086]
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.