[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#661627: init script x11-common creates directories in insecure manners



On Tue, Feb 28, 2012 at 18:31:02 +0100, vladz wrote:

> Package: x11-common
> Version: 1:7.5+8
> Tags: security
> 
> 
> The init script "x11-common" creates directories "/tmp/.X11-unix" and
> "/tmp/.ICE-unix" in insecure manners.
> 
>   $ cat -n /etc/init.d/x11-common
>     [...]
>     33    if [ -e $SOCKET_DIR ] && [ ! -d $SOCKET_DIR ]; then
>     34      mv $SOCKET_DIR $SOCKET_DIR.$$
>     35    fi
>     36    mkdir -p $SOCKET_DIR
>     37    chown root:root $SOCKET_DIR
>     38    chmod 1777 $SOCKET_DIR
>     [...]
>     47    if [ -e $ICE_DIR ] && [ ! -d $ICE_DIR ]; then
>     48      mv $ICE_DIR $ICE_DIR.$$
>     49    fi
>     50    mkdir -p $ICE_DIR
>     51    chown root:root $ICE_DIR
>     52    chmod 1777 $ICE_DIR
> 
> If a local user is able to place a symlink before the service starts
> (for example before the package installation process), he could gain
> root privileges.
> 
> For example, the symlink would point to an arbitrary directory (/etc),
> so it won't match the conditions (lines 33 and 47) and the arbitrary
> directory will get its permissions changed (lines 38 and 52).
> 
> As a solution, I would suggest to take care of the "mkdir" return codes 
> (line 36 and 50).  To do not change permissions on failures.         
> 
This script is set -e AFAICT, which means it already does care about the
mkdir return code.

Cheers,
Julien



Reply to: