Bug#581338: x11-common sets wrong permissions for Xwrapper.config

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#581338: x11-common sets wrong permissions for Xwrapper.config
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Wed, 12 May 2010 13:21:04 +0400
Message-id: <[🔎] 20100512092104.25519.19216.reportbug@gandalf.local>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 581338@bugs.debian.org

Package: x11-common
Version: 1:7.3+20
Severity: minor
Tags: patch

In x11-common.postinst the /etc/X11/Xwrapper.config gets created using
tmpfile ($NEW_XWRAPPER_CONFIG).  By default, tmpfile creates temp file
with mode 0600.  With that mode the new file is installed to the right
place.

There's no security-sensible information in this file, unlike, say,
/etc/shadow which has to have restrictive permissions, -- this file
only contains two settings used by X setuid wrapper, which are also
available from debconf database.

It is not usually a problem to have that file mode 0600.  But this
becomes problematic when, for example, the client is run off an NFS
root (where I've actually hit this issue).  And generally, non-
security-sensitive files aren't created with mode 0600.

The fix is trivial: tempfile now has -m MODE argument, so replacing

  NEW_XWRAPPER_CONFIG=$(tempfile)

with 


  NEW_XWRAPPER_CONFIG=$(tempfile -m 0644)

is enough.  So I'm tagging this as "patch available" :)

This bug is very old, it's here since xfree86-4.3.0 (Jul 2004)
or even pre-dates that.

Thanks!

/mjt

Reply to:

Prev by Date: Bug#580946: #580946 xterm: latest upgrade broke scrolling on kFreeBSD
Next by Date: Bug#581216: xserver-xorg-video-r128: when launching X server system can't load graphic card.
Previous by thread: Bug#581223: (no subject)
Next by thread: xorg-server: Changes to 'debian-experimental'
Index(es):
- Date
- Thread