Bug#555308: xserver-xorg: X inherits user's umask
tag 555308 fixed-upstream
On Mon, Nov 9, 2009 at 10:48:05 +0100, Piotr Engelking wrote:
> /usr/bin/X, which is a suid root program, keeps the umask of the user
> that started X. This results in at least one security problem: if the
> user sets umask to 0, /var/log/Xorg.*.log will be world-writable, as
> can be seen below.
> Please set umask in /usr/bin/X to a sane value (022).
Fixed in upstream git, thanks for the report!
Author: Julien Cristau <email@example.com>
Date: Sat Nov 14 18:39:00 2009 +0100
xfree86: set a sane umask before opening the log
Xorg creates its log file following the umask of the user running
startx, which may result in a world-writable log. Set umask to 022 to
Debian bug#555308 <http://bugs.debian.org/555308>
See also http://thread.gmane.org/gmane.comp.security.oss.general/2299
Signed-off-by: Julien Cristau <firstname.lastname@example.org>
Reviewed-by: Adam Jackson <email@example.com>
Signed-off-by: Keith Packard <firstname.lastname@example.org>