Harold L Hunt II wrote:
Eran Tromer wrote:
If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to whatever it's pointing to (see LogInit() in os/log.c). This allows standard symlink-following attacks.
In theory, but have you actually tried it and confirmed that it works with two different users that did not already both have permissions to overwrite the file in question?
Yes, I did verify it.
With two distinct users, not in the same group, and with neither an administrator?
I just don't see how you could overwrite a file at all if you don't have premission on the underlying filesystem... what OS was this with? Were you using NTFS or FAT32? FAT32 could explain things... in which a user could overwrite a file anyway since FAT32 doesn't provide security, so protecting for this in XWin.exe would be pointless.
Please provide more details of your test.
Harold
