denial of service attack for X/esound?

To: debian-security@lists.debian.org
Subject: denial of service attack for X/esound?
From: Brian May <bam@debian.org>
Date: 14 Feb 2000 19:08:20 +1100
Message-id: <[🔎] 84hffcmcjv.fsf@snoopy.apana.org.au>

To reproduce:

(won't work if anything has already started X including gdm/wdm/xdm
since the last boot).

1. Login as user X.
2. touch /tmp/.X11-unix
3. Login as user Y.
4. Run startx.
5. Since the socket could not be created under /tmp/.X11-unix, clients
will fail to connect. Only a reboot, root, or user X can fix the problem.

For the record, here is the error I get:

_X11TransSocketUnixConnect: Can't connect: errno = 20

I have reported a similar bug for esound's usage of /tmp/.esd (which
IMHO is worse, as only one socket name under /tmp/.esd can be used).

Note: attack for X might also be possible by the other user creating a
directory and restricting access, I haven't tested this in detail yet
though.

I hope this isn't already known, but I looked up the BTS and couldn't
find anything. I haven't yet filled a bug against X, as I am not sure
what package to file the bug against...
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: denial of service attack for X/esound?
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: eperl: rotected files can be read by unauthorised users
Next by Date: Re: denial of service attack for X/esound?
Previous by thread: eperl: rotected files can be read by unauthorised users
Next by thread: Re: denial of service attack for X/esound?
Index(es):
- Date
- Thread