Bug 306

Summary: [security] /tmp/.X11-unix and /tmp/.ICE-unix file ownership and permissions
Product: xorg Reporter: Jim Gettys <jg>
Component: Lib/XlibAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: high CC: ajax, dberkholz, matthieu.herrb, mharris
Version: unspecified   
Hardware: x86 (IA32)   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 999    
Attachments:
Description Flags
Early discussion on Gnome mailing list about this issue. none

Description Jim Gettys 2004-03-15 10:25:21 UTC 
These directories should be owned by root with appropriate protection;
in particular, things can fail if the sockets contained in them are
not accessable to clients properly.

Exactly what the right fix is for this problem isn't immediately obvious.
We will open a discussion on the desktop lists to hash through the
right solutions. The .X11-unix directory is less problematic, as the X server
is (usually) running as root and could (does?) ensure the right properties
on the directory. But the .ICE-unix directory can/does often get set
incorrectly.

This can cause *really* mystic failures at times, for example,
when changing a user's uid if you don't know to search the file system
for all occurances of files owned by someone and change appropriately.
Comment 1 Jim Gettys 2004-03-15 10:29:13 UTC 
Created attachment 141 [details]
Early discussion on Gnome mailing list about this issue.
Comment 2 Egbert Eich 2004-05-07 03:35:23 UTC 
*** Bug 297 has been marked as a duplicate of this bug. ***
Comment 3 Kevin E. Martin 2004-08-06 12:06:43 UTC 
I believe Egbert has checked in a patch to make the checking more strict.  Are
there any other issues that we want to address in this release?  If not, please
move this bug over to blocking the release notes bugs (#999).
Comment 4 Kevin E. Martin 2004-08-09 09:31:19 UTC 
Closing and moving over block release notes as discussed on release wranglers call

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.