[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

denial of service attack for X/esound?

To reproduce:

(won't work if anything has already started X including gdm/wdm/xdm
since the last boot).

1. Login as user X.
2. touch /tmp/.X11-unix
3. Login as user Y.
4. Run startx.
5. Since the socket could not be created under /tmp/.X11-unix, clients
will fail to connect. Only a reboot, root, or user X can fix the problem.

For the record, here is the error I get:

_X11TransSocketUnixConnect: Can't connect: errno = 20

I have reported a similar bug for esound's usage of /tmp/.esd (which
IMHO is worse, as only one socket name under /tmp/.esd can be used).

Note: attack for X might also be possible by the other user creating a
directory and restricting access, I haven't tested this in detail yet

I hope this isn't already known, but I looked up the BTS and couldn't
find anything. I haven't yet filled a bug against X, as I am not sure
what package to file the bug against...
Brian May <bam@debian.org>

Reply to: