Bug#661627: init script x11-common creates directories in insecure manners
On Tue, Feb 28, 2012 at 18:31:02 +0100, vladz wrote:
> Package: x11-common
> Version: 1:7.5+8
> Tags: security
>
>
> The init script "x11-common" creates directories "/tmp/.X11-unix" and
> "/tmp/.ICE-unix" in insecure manners.
>
> $ cat -n /etc/init.d/x11-common
> [...]
> 33 if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then
> 34 mv $SOCKET_DIR $SOCKET_DIR.$$
> 35 fi
> 36 mkdir -p $SOCKET_DIR
> 37 chown root:root $SOCKET_DIR
> 38 chmod 1777 $SOCKET_DIR
> [...]
> 47 if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then
> 48 mv $ICE_DIR $ICE_DIR.$$
> 49 fi
> 50 mkdir -p $ICE_DIR
> 51 chown root:root $ICE_DIR
> 52 chmod 1777 $ICE_DIR
>
> If a local user is able to place a symlink before the service starts
> (for example before the package installation process), he could gain
> root privileges.
>
> For example, the symlink would point to an arbitrary directory (/etc),
> so it won't match the conditions (lines 33 and 47) and the arbitrary
> directory will get its permissions changed (lines 38 and 52).
>
> As a solution, I would suggest to take care of the "mkdir" return codes
> (line 36 and 50). To do not change permissions on failures.
>
This script is set -e AFAICT, which means it already does care about the
mkdir return code.
Cheers,
Julien
Reply to: