On Mon, Feb 14, 2000 at 07:08:20PM +1100, Brian May wrote: > To reproduce: > > (won't work if anything has already started X including gdm/wdm/xdm > since the last boot). > > 1. Login as user X. > 2. touch /tmp/.X11-unix > 3. Login as user Y. > 4. Run startx. > 5. Since the socket could not be created under /tmp/.X11-unix, clients > will fail to connect. Only a reboot, root, or user X can fix the problem. > > For the record, here is the error I get: > > _X11TransSocketUnixConnect: Can't connect: errno = 20 > > I have reported a similar bug for esound's usage of /tmp/.esd (which > IMHO is worse, as only one socket name under /tmp/.esd can be used). > > Note: attack for X might also be possible by the other user creating a > directory and restricting access, I haven't tested this in detail yet > though.
Good call on that. I think the appropriate fix is to have the /tmp cleaner create /tmp/.X11-unix after cleaning out /tmp. Or maybe it should exclude .X11-unix. OTOH, that lets people park crap in there without it getting cleaned. I guess it should delete everything _in_ /tmp/.X11-unix, but not the directory itself. (rm -rf /tmp/.X11-unix/*, except that somebody could make a symlink called .X11-unix and make rm do something nasty. Grrr...) Ok, I think the best solution is to clean out /tmp completely, then recreate .X11-unix. This means putting mkdir --mode=1777 /tmp/.X11-unix in /etc/init.d/bootmisc.sh (right, developers? :) This is a tradeoff, because forcing creation of /tmp/.X11-unix is ugly if X is not used on the machine. The same solution applies to esd, I guess, with even more risk of making unneeded directories. I guess that's a small price (512 bytes and an inode :) to pay for preventing users from knocking down your door. Another solution is to have X clobber /tmp/.X11-unix if it is bogus when it starts up, and/or adjust the permissions on it. This is not so nice, since it means putting code into the X server or making another set-uid program. Hrmmm. BTW, I don't like the idea of X having a boot script that runs from rcS.d. I hate having huge numbers of things run at boot time. I haven't gotten around to putting all the debian boot time stuff into 1 or 2 files (like I did with Stampede) on my personal machine, and I don't think I will, since that would break the wonderfully marvelous package system a bit. One directory seems a bit too frivolous to have a whole boot script for. Oh... even better idea: bootmisc.sh could check for the existence of /tmp/.X11-unix before cleaning out /tmp. If it exists, then it is recreated with mode 1777 # replacement for /tmp cleaner in bootmisc.sh [ -d /tmp/.X11-unix ] && make-x=yes [ -d /tmp/.esd ] && make-esd=yes # clean dot files + other files in /tmp cd /tmp && ls | egrep -v '^quota.(user|group)$|^lost+found' | xargs rm -rf .[^.]* # maybe we should stick with the find command used currently, but since it # checks UID on the preserved files, and cleans out /tmp/lost+found. # I like my version for efficiency, though :) somebody check that egrep # command if you decide to use it, though :) (I haven't tried this script.) [ $make-x = yes ] && mkdir --mode=1777 .X11-unix [ $make-esd = yes ] && mkdir --mode=1777 .esd -- #define X(x,y) x##y DUPS Secretary ; http://is2.dal.ca/~dups/ Peter Cordes ; e-mail: X([EMAIL PROTECTED] , dal.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
