Bugtraq mailing list archives
Re: X11 cookie hijacker
From: dawes () RF900 PHYSICS USYD EDU AU (David Dawes)
Date: Thu, 5 Nov 1998 14:48:45 +1100
On Wed, Nov 04, 1998 at 11:39:02AM -0500, der Mouse wrote:
drwxrwxrwx 2 root root 1024 Oct 30 19:57 /tmp/.X11-unixHang on, aren't those dangerous permissions?XFree86 is still waiting for someone to come up with a real solution to the problem.Potential solutions:- set the sticky bit on /tmp/.X11-unix, make sure the bit stays thereThis loses big as soon as a second user tries to fire up an X server after the first one has exited.
It isn't so bad if the X server removes the old socket when it exits. It currently doesn't, but I'm looking into fixing that. We're currently testing the sticky bit option as short-term partial solution for XFree86 3.3.3, which is due out very soon (as has already been pointed out, it doesn't help at all on some SYSV-based OSs).
- make it world-unwritable, make sure it stays this way (this works if all your Xservers run with some extra privileges)But only then. Lots of servers don't.
I assume from this list that you don't have a real solution?In the right contexts, any of those could be a real solution - the problems I've listed are not necessarily problems in any particular installation. If you want us to come up with your idea of a "real solution", first you'll have to clarify what that means. I have a couple of ideas, but I'm not about to get into a cycle of proposing an idea only to have it dismissed as a non-"real" solution without any indication what I have to do to it to make it more "real".
My definition of a "real solution" is one that solves the problem without introducing compatibility problems, loss of functionality, or other new problems. Two other solutions that people have suggested so far are: - making all the servers setgid to some special "x11" group - providing a small setgid (or setuid) helper program that creates the socket and which only removes an existing socket if it isn't in use (ie it can't be connected to). Both of these probably qualify. David
Current thread:
- ISS Security Advisory: BMC PATROL File Creation Vulnerability, (continued)
- ISS Security Advisory: BMC PATROL File Creation Vulnerability X-Force (Nov 02)
- Re: X11 cookie hijacker David Dawes (Nov 02)
- Re: X11 cookie hijacker Alan Cox (Nov 03)
- Re: X11 cookie hijacker Olaf Kirch (Nov 05)
- [rootshell] Security Bulletin #25 Aleph One (Nov 03)
- Re: X11 cookie hijacker Willy TARREAU (Nov 04)
- Re: X11 cookie hijacker Casper Dik (Nov 04)
- Re: X11 cookie hijacker der Mouse (Nov 04)
- Regarding the reported DOS against the internal interface of a WatchGuard Rapid Response (Nov 04)
- IE 4.x does not appear to save custom security settings John Schultz (Nov 04)
- Re: X11 cookie hijacker David Dawes (Nov 04)
- xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 04)
- Making xlock setuid root Stefan Rompf (Nov 06)