On Tue, 27 Dec 2005, Dave Feustel wrote:
> On Tuesday 27 December 2005 11:05, Otto Moerbeek wrote:
> >
> > On Tue, 27 Dec 2005, Dave Feustel wrote:
> >
> > > by KDE are root-owned and world rw. There is also a problem with the
> > > socket
> > > /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> > > presentation on XFree86 from about 2002.
> >
> > Dunno about KDE but can you elaborate or give refs why having a world
> > writable unix domain socket is considered a problem?
>
> Here is a presentation of XFree86 security issues that I found yesterday
> that seems to be relevant. X0 permissions are specifically addressed. I am
> definitely having fewer (if any) problems after several times rm'ing the tmp
> files associated with Xorg and KDE. I've done it with no problems except
> when I do it while KDE is running. Then DCOP dies. The most reliable way
> of reactivating DCOP correctly is (right now) to reboot KDE.
>
> http://www.openbsd.org/papers/xf86-sec.pdf
Indeed this paper mentions problems withg unix domain sockets. But it
is talking about socket _creation_, not _using_ the a unix domain
socket.
So far you only have given very vague, circumstantial evidence.
-Otto
