Thomas Maier-Komor wrote:
Hi,
default permissions for .X11-pipe and .X11-unix seems to be 0775 with ownership
root:root.
This prevents Xnest from running. I saw that in Solaris 2.5.1 the permissions
originally have been 0777 and a patch changed it to 0775. I suspect that there
was no support for the sticky bit in Solaris 2.5.1.
2.5.1 certainly had the sticky bit, but there was still at least one
scenario that was claimed to be vunerable. Although I can't remember
which right now. But perhaps along the lines of:
a) User A created and owns .X11-unix
b) User B starts Xnest on :1
c) User A then renames .X11-unix and adds a fake version instead
You can still run Xnest by using the "-pn" option, which means to still
start even if some of the sockets/pipes can't be created. You'll need
to use DISPLAY=hostname:1 rather than :1 though. There's probably a FAQ
to this effect somewhere.
Now, personally, the fix I used on 2.5.1 when we had some software that
could not live without these sockets was to say something like the
following in an /etc/rc*.d script run by root:
mkdir /var/run/.X11-pipe # directory owned by root for security
mount -F lofs /var/run/.X11-pipe /tmp/.X11-pipe
The lofs mount acts like a completely non-removable symbolic link, which
(I think) should provide the needed security.
What are the reasons that the permission hasn't been changed to 01777 with more
recent versions of Solaris. As I said Xnest won't be able to run, when it can't
create the required named pipes in the above mentioned directories.
No change in sticky bit support, therefore no difference between the
releases?
Hugh.
_______________________________________________
opensolaris-discuss mailing list
[email protected]
