Hi,
If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to whatever it's pointing to (see LogInit() in os/log.c). This allows standard symlink-following attacks.
Example: Alice runs "ln -s /home/Bob/phd-thesis.tex /tmp/XWin.log" under her account. Later Bob runs XWin under his account; XWin fails for some reasons and writes to /tmp/XWin.log; Bob life's work gets overwritten.
In theory, but have you actually tried it and confirmed that it works with two different users that did not already both have permissions to overwrite the file in question?
Harold
