not only NetBSD [was Re: X11R6 NetBSD Security Problem]

[pavel () BUG UCW CZ (Pavel Machek)]

Hi!

>  If this has already been brought up, you have the right to stone me to
> death, But I havent seen it and ive searched, so here it is:
>
> I was fooling around today, and decided to rm /tmp/.X11-unix and then make
> a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
> up /etc/passwd and
> ln -s /etc/passwd /tmp/.X11-unix
> and then startx'd as normal user acount, But X wouldnt start, it
> complained and said "is not a directory" So, I made a symbolic link from
> /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
> to have write access to /root.

I tried to reproduce on 2.2.4 linux using

XFree86 Version 3.3.2 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: March 2 1998
        If the server is older than 6-12 months, or if your card is
newer
        than the above date, look for a newer version before reporting
        problems.  (see http://www.XFree86.Org/FAQ)

. I'm not able to get write access to /etc, still I'm able to create
file

srwxrwxrwx   1 root     root            0 Mar 26 13:48 X0=

in previously unwritable directory. Bug, it seems. [There was some
talk about /tmp/.X11-unix directories, and I think that this problem
might very well get _worse_ with new 3.3.3 release. Please check.]

                                                                Pavel

--
I'm really pavel () atrey karlin mff cuni cz.      Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).