Bug#555308: xserver-xorg: X inherits user's umask
Package: xserver-xorg
Version: 1:7.4+4
Severity: normal
Tags: security
X-Debbugs-Cc: team@security.debian.org
/usr/bin/X, which is a suid root program, keeps the umask of the user
that started X. This results in at least one security problem: if the
user sets umask to 0, /var/log/Xorg.*.log will be world-writable, as
can be seen below.
Please set umask in /usr/bin/X to a sane value (022).
-- Package-specific info:
/var/lib/x11/X.roster does not exist.
/var/lib/x11/X.md5sum does not exist.
X server symlink status:
lrwxrwxrwx 1 root root 13 06/04/06 /etc/X11/X -> /usr/bin/Xorg
-rwxr-xr-x 1 root root 1689944 10/13/09 13:31 /usr/bin/Xorg
/var/lib/x11/xorg.conf.roster does not exist.
VGA-compatible devices on PCI bus:
01:05.0 VGA compatible controller: ATI Technologies Inc Radeon HD 3200 Graphics
/var/lib/x11/xorg.conf.md5sum does not exist.
Xorg X server configuration file status:
-rw-r--r-- 1 root root 1310 06/23/09 02:47 /etc/X11/xorg.conf
Contents of /etc/X11/xorg.conf:
# xorg.conf (X.Org X Window System server configuration file)
#
# This file was generated by dexconf, the Debian X Configuration tool, using
# values from the debconf database.
#
# Edit this file with caution, and see the xorg.conf manual page.
# (Type "man xorg.conf" at the shell prompt.)
#
# This file is automatically updated on xserver-xorg package upgrades *only*
# if it has not been modified since the last upgrade of the xserver-xorg
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command:
# sudo dpkg-reconfigure -phigh xserver-xorg
Section "InputDevice"
Identifier "Generic Keyboard"
Driver "kbd"
Option "XkbRules" "xorg"
Option "XkbModel" "samsung4500"
Option "XkbLayout" "pl"
EndSection
Section "InputDevice"
Identifier "Configured Mouse"
Driver "mouse"
EndSection
Section "Device"
Identifier "Configured Video Device"
Driver "radeonhd"
Option "AccelMethod" "EXA"
Option "DRI" "true"
EndSection
Section "Monitor"
Identifier "Configured Monitor"
EndSection
Section "Screen"
Identifier "Default Screen"
Monitor "Configured Monitor"
EndSection
Xorg X server log files on system:
-rw-rw-rw- 1 root root 179460 11/08/09 19:22 /var/log/Xorg.1.log
-rw------- 1 root root 298428 11/08/09 19:22 /var/log/Xorg.0.log
Contents of most recent Xorg X server log file
/var/log/Xorg.0.log:
HAL Information (lshal):
udi = '/org/freedesktop/Hal/devices/computer_logicaldev_input'
info.addons.singleton = {'hald-addon-input'} (string list)
info.callouts.add = {'debian-setup-keyboard'} (string list)
info.capabilities = {'input', 'input.keys', 'button'} (string list)
info.category = 'input' (string)
info.parent = '/org/freedesktop/Hal/devices/computer' (string)
info.product = 'Power Button' (string)
info.subsystem = 'input' (string)
info.udi = '/org/freedesktop/Hal/devices/computer_logicaldev_input' (string)
input.device = '/dev/input/event2' (string)
input.product = 'Power Button' (string)
input.x11_driver = 'evdev' (string)
input.xkb.layout = 'pl' (string)
input.xkb.model = 'pc105' (string)
input.xkb.options = 'lv3:ralt_switch' (string)
input.xkb.rules = 'base' (string)
linux.device_file = '/dev/input/event2' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'input' (string)
linux.sysfs_path =
'/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input2/event2' (string)
udi = '/org/freedesktop/Hal/devices/computer_logicaldev_input_0'
info.addons.singleton = {'hald-addon-input'} (string list)
info.callouts.add = {'debian-setup-keyboard'} (string list)
info.capabilities = {'input', 'input.keys', 'button'} (string list)
info.category = 'input' (string)
info.parent = '/org/freedesktop/Hal/devices/computer' (string)
info.product = 'Power Button' (string)
info.subsystem = 'input' (string)
info.udi = '/org/freedesktop/Hal/devices/computer_logicaldev_input_0'
(string)
input.device = '/dev/input/event3' (string)
input.product = 'Power Button' (string)
input.x11_driver = 'evdev' (string)
input.xkb.layout = 'pl' (string)
input.xkb.model = 'pc105' (string)
input.xkb.options = 'lv3:ralt_switch' (string)
input.xkb.rules = 'base' (string)
linux.device_file = '/dev/input/event3' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'input' (string)
linux.sysfs_path =
'/sys/devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input3/event3'
(string)
udi = '/org/freedesktop/Hal/devices/platform_i8042_i8042_AUX_port_logicaldev_input'
access_control.file = '/dev/input/event4' (string)
access_control.type = 'mouse' (string)
info.addons.singleton = {'hald-addon-input'} (string list)
info.callouts.add = {'hal-acl-tool --add-device',
'debian-setup-keyboard'} (string list)
info.callouts.remove = {'hal-acl-tool --remove-device'} (string list)
info.capabilities = {'input', 'input.keys', 'input.mouse', 'button',
'access_control'} (string list)
info.category = 'input' (string)
info.parent =
'/org/freedesktop/Hal/devices/platform_i8042_i8042_AUX_port' (string)
info.product = 'ImPS/2 Logitech Wheel Mouse' (string)
info.subsystem = 'input' (string)
info.udi = '/org/freedesktop/Hal/devices/platform_i8042_i8042_AUX_port_logicaldev_input'
(string)
input.device = '/dev/input/event4' (string)
input.originating_device =
'/org/freedesktop/Hal/devices/platform_i8042_i8042_AUX_port' (string)
input.product = 'ImPS/2 Logitech Wheel Mouse' (string)
input.x11_driver = 'evdev' (string)
input.xkb.layout = 'pl' (string)
input.xkb.model = 'pc105' (string)
input.xkb.options = 'lv3:ralt_switch' (string)
input.xkb.rules = 'base' (string)
linux.device_file = '/dev/input/event4' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'input' (string)
linux.sysfs_path =
'/sys/devices/platform/i8042/serio1/input/input4/event4' (string)
udi = '/org/freedesktop/Hal/devices/platform_i8042_i8042_KBD_port_logicaldev_input'
info.addons.singleton = {'hald-addon-input'} (string list)
info.callouts.add = {'debian-setup-keyboard'} (string list)
info.capabilities = {'input', 'input.keyboard', 'input.keypad',
'input.keys', 'button'} (string list)
info.category = 'input' (string)
info.parent =
'/org/freedesktop/Hal/devices/platform_i8042_i8042_KBD_port' (string)
info.product = 'AT Translated Set 2 keyboard' (string)
info.subsystem = 'input' (string)
info.udi = '/org/freedesktop/Hal/devices/platform_i8042_i8042_KBD_port_logicaldev_input'
(string)
input.device = '/dev/input/event0' (string)
input.originating_device =
'/org/freedesktop/Hal/devices/platform_i8042_i8042_KBD_port' (string)
input.product = 'AT Translated Set 2 keyboard' (string)
input.x11_driver = 'evdev' (string)
input.xkb.layout = 'pl' (string)
input.xkb.model = 'pc105' (string)
input.xkb.options = 'lv3:ralt_switch' (string)
input.xkb.rules = 'base' (string)
linux.device_file = '/dev/input/event0' (string)
linux.hotplug_type = 2 (0x2) (int)
linux.subsystem = 'input' (string)
linux.sysfs_path =
'/sys/devices/platform/i8042/serio0/input/input0/event0' (string)
DRM Information from dmesg:
No AGP bridge found
Linux agpgart interface v0.103
[drm] Initialized drm 1.1.0 20060810
[drm] Initialized radeon 1.31.0 20080528 for 0000:01:05.0 on minor 0
[drm] Setting GART location based on new memory map
[drm] Loading RS780 CP Microcode
[drm] Resetting GPU
[drm] writeback test succeeded in 1 usecs
[drm] Resetting GPU
[drm] Resetting GPU
[drm] Resetting GPU
[drm] Resetting GPU
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (400, 'unstable'), (300, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.31 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xserver-xorg depends on:
ii console-setup 1.45 console font and keymap setup prog
ii hal 0.5.13-3 Hardware Abstraction Layer
ii libc6 2.10.1-5 GNU C Library: Shared libraries
ii x11-xkb-utils 7.4+3 X11 XKB utilities
ii xkb-data 1.6-1 X Keyboard Extension (XKB) configu
ii xserver-xorg-core 2:1.6.5-1 Xorg X server - core server
ii xserver-xorg-input-evdev [xse 1:2.2.5-1 X.Org X server -- evdev input driv
ii xserver-xorg-input-kbd [xserv 1:1.3.2-4 X.Org X server -- keyboard input d
ii xserver-xorg-input-mouse [xse 1:1.4.0-4 X.Org X server -- mouse input driv
ii xserver-xorg-video-radeonhd [ 1.2.5-1 X.Org X server -- AMD/ATI r5xx, r6
Versions of packages xserver-xorg recommends:
ii libgl1-mesa-dri 7.6-1 A free implementation of the OpenG
ii udev 146-5 /dev/ and hotplug management daemo
xserver-xorg suggests no packages.
-- debconf information excluded
Reply to: