[597] in linux-security and linux-alert archive
Re: XFree86 3.1.2 Security Problems
daemon@ATHENA.MIT.EDU (David Dawes)
Fri Feb 2 17:35:25 1996
From: David Dawes <dawes@rf900.physics.usyd.edu.au>
To: bvwilder@y.cs.rhbnc.ac.uk (Bruno Van Wilder)
Date: Tue, 30 Jan 1996 13:54:38 +1100 (EST)
Cc: davem+@andrew.cmu.edu, bugtraq@crimelab.com, best-of-security@suburbia.net,
linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu,
beta@xfree86.org
In-Reply-To: <Pine.LNX.3.91.960129230931.8138B-100000@y.cs.rhbnc.ac.uk> from "Bruno Van Wilder" at Jan 29, 96 11:15:26 pm
>> There are security holes in XFree86 3.1.2, which installs its servers
>> as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files,
>> it does not take proper precautions to ensure that file permissions are
>> maintained, resulting in the ability to overwrite files, and to read
>> limited portions of other files.
>[...]
>> Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
>
>This patch is not only very hard to realise on systems that need X, it is
>also insufficient; if xdm is used, the hole can still be exploited with
>the above patch installed.
Does anyone have any comments on a real fix for this? We (XFree86)
will be finalising our next beta release quite soon.
[Mod: Please direct responses to the author--not to the mailing list.
--Jeff]
I'd like the final solution to allow for both suid-root and non-suid
servers (Xnest and Xvfb are not suid-root).
One thought is to use a non-user-writable directory for the lock files
when euid==0, and use /tmp when euid!=0. Does anyone see any problems
with that?
David
--
David Dawes Email: dawes@XFree86.org
The XFree86 Project, Inc Phone: +61 2 351 2639
c/- School of Physics, Fax: +61 2 660 2903
University of Sydney 2006 AUSTRALIA
