Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way. systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory. Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d. This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0). Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions.
Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective.
This is public now:
SUSE bug report:
Created systemd tracking bugs for this issue
Affects: fedora-all [bug 799086]
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.