Re: X11 cookie hijacker

[casper () HOLLAND SUN COM (Casper Dik)]

> Evil grin. It has already been told a million times: you are asking for
> a problem if your /tmp/.X11-unix (and/or /tmp/.X11-pipe on Solaris) has
> the permission bits allowing other users to play games with its contents.


Please note that with the latest Solaris 2.5.1 patches (not sure about
the Solaris 2.6 status of same) as well in Solaris 7, the permissions of
/tmp/.X11-* are:

drwxrwxr-x   2 root     root         104 Nov  3 08:59 /tmp/.X11-pipe/
drwxrwxr-x   2 root     root         104 Nov  3 08:59 /tmp/.X11-unix/


(This is no problem when Xsun is started by root through dtlogin;
since it's only set-gid root, it's slightly trickier when started
from the command line)


> - set the sticky bit on /tmp/.X11-unix, make sure the bit stays there

        Unfortunately, some systems will allow users to remove such
        directories from /tmp (This is what happened when SV got their
        hands on the sticky bit and messed with it)

> - make it world-unwritable, make sure it stays this way (this works if
>  all your Xservers run with some extra privileges)

This is what Sun has done (the servers already run set-uid root (x86) or
set-gid root (SPARC) to access devices (x86) and change the priority of
processes with the input focus (both)

> - special Solaris option: put /tmp/.X11-{unix,pipe} into /etc/logindevperm
>  (assumption: the user sitting at the console is the only who uses X)

Ugh; that might not be such a hot idea; /etc/logindevperm will gladly
follows symbolic links for chowns (has to for devices) and once you own
/tmp/.X11-* you can remove it, replace it with a link and logout and back
in again.

> - abolish Unix-domain X11 sockets and use TCP only (giving up MIT-SHM etc)


Which is really hard to do with X11R6.4 which will go through hoops to
find out whether the hostname to connect to is local; and if so, use
local transport.


Casper