drwxrwxrwt 4 root root 1024 Nov 14 07:35 /tmp/
drwxr-xr-x 2 root root 1024 Oct 29 00:03 /tmp/X11-unix/
srwxrwxrwx 1 root root 0 Oct 29 00:03 X0=
And expectedly, I get (as a user):
$ mv X0 Y0
mv: cannot move `X0' to `Y0': Permission denied
Just my $0.02,
Scott
On Fri, 14 Nov 1997, Carlo Wood wrote:
: Hi,
:
: this isn't an exploit - I let others write that ;) (don't
: have time for that).
:
: But five minutes ago I found something that might be abused:
:
: On my (RedHat4.2) linux box, I find:
:
: /tmp/.X11-unix/X0=
:
: A UNIX domain socket of the X server I assume.
:
: The permissions are:
:
: drwxrwxrwt 3 root root 1024 Nov 14 01:38 /tmp/
: drwxrwxrwx 2 root users 1024 Nov 14 01:56 /tmp/.X11-unix/
: srwxrwxrwx 1 root users 0 Nov 13 23:09 X0
:
: So, as any user (I did it as 'nobody'), I can do:
:
: rm /tmp/.X11-unix/X0
:
: After which X doesn't work anymore (can't open a new terminal).
:
: I can also do:
:
: cd /tmp/.X11-unix
: mv X0 Y0
:
: (can't open an xterm)
:
: mv Y0 X0
:
: (everything works again).
:
: Now I didn't test the following, but doesn't this mean that I can
: - as nobody - mv X0 Y0; open a new X0 socket and start to accept
: connections, piping everything to Y0, reading everything people
: type, like passwords when they use 'su' ? ...
:
: Carlo Wood
:
: PS This is my first post, so I expect to make a terrible error
: here somehow ;). If so, I hope the moderator will simply
: refuse the post.
:
: --
: carlo@runaway.xs4all.nl, Run @ IRC.
:
: ircd development: http://www.xs4all.nl/~carlo17/ircd-dev
:
: