Bug#661627: init script x11-common creates directories in insecure manners
Package: x11-common
Version: 1:7.5+8
Tags: security
The init script "x11-common" creates directories "/tmp/.X11-unix" and
"/tmp/.ICE-unix" in insecure manners.
$ cat -n /etc/init.d/x11-common
[...]
33 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then
34 mv $SOCKET_DIR $SOCKET_DIR.$$
35 fi
36 mkdir -p $SOCKET_DIR
37 chown root:root $SOCKET_DIR
38 chmod 1777 $SOCKET_DIR
[...]
47 if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then
48 mv $ICE_DIR $ICE_DIR.$$
49 fi
50 mkdir -p $ICE_DIR
51 chown root:root $ICE_DIR
52 chmod 1777 $ICE_DIR
If a local user is able to place a symlink before the service starts
(for example before the package installation process), he could gain
root privileges.
For example, the symlink would point to an arbitrary directory (/etc),
so it won't match the conditions (lines 33 and 47) and the arbitrary
directory will get its permissions changed (lines 38 and 52).
As a solution, I would suggest to take care of the "mkdir" return codes
(line 36 and 50). To do not change permissions on failures.
Thanks.
--
http://vladz.devzero.fr
PGP key 8F7E2D3C from pgp.mit.edu
Reply to: