[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#555308: xserver-xorg: X inherits user's umask

tag 555308 fixed-upstream
kthxbye

On Mon, Nov  9, 2009 at 10:48:05 +0100, Piotr Engelking wrote:

> /usr/bin/X, which is a suid root program, keeps the umask of the user
> that started X. This results in at least one security problem: if the
> user sets umask to 0, /var/log/Xorg.*.log will be world-writable, as
> can be seen below.
> 
> Please set umask in /usr/bin/X to a sane value (022).
> 
Fixed in upstream git, thanks for the report!

commit 30be7ceaf228497ac1ff0a1123c1b35e3aa1fc73
Author: Julien Cristau <jcristau@debian.org>
Date:   Sat Nov 14 18:39:00 2009 +0100

    xfree86: set a sane umask before opening the log
    
    Xorg creates its log file following the umask of the user running
    startx, which may result in a world-writable log.  Set umask to 022 to
    prevent this.
    
    Debian bug#555308 <http://bugs.debian.org/555308>
    See also http://thread.gmane.org/gmane.comp.security.oss.general/2299
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Keith Packard <keithp@keithp.com>

Cheers,
Julien
Reply to: