Harold L Hunt II wrote: > Eran Tromer wrote: >> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write >> to whatever it's pointing to (see LogInit() in os/log.c). This allows >> standard symlink-following attacks. > > In theory, but have you actually tried it and confirmed that it works > with two different users that did not already both have permissions to > overwrite the file in question?
Yes, I did verify it. Eran
