Users login

Create an account »


Users login

Home » Hacking News » FreeBSD-SA-02:27-rc


by Nikola Strahija on May 29th, 2002 rc is the system startup script (/etc/rc). It is run when the FreeBSD is booted multi-user, and performs a multitude of tasks to bring the system up. One of these tasks is to remove lock files left by X Windows, as their existence could prevent one from restarting the X Windows server.

II. Problem Description

When removing X Windows lock files, rc uses the rm(1) command and
shell globbing:

rm -f /tmp/.X*-lock /tmp/.X11-unix/*

Since /tmp is a world-writable directory, a user may create
/tmp/.X11-unix as a symbolic link to an arbitrary directory. The next
time that rc is run (i.e. the next time the system is booted), rc will
then remove all of the files in that directory.

III. Impact

Users may remove the contents of arbitrary directories if the
/tmp/.X11-unix directory does not already exist and the system can
be enticed to reboot (or the user can wait until the next system
maintenance window).

IV. Workaround

Find and remove or comment-out the following line in /etc/rc:

rm -f /tmp/.X*-lock /tmp/.X11-unix/*

The following command executed as root will do this:

/bin/sh -c 'echo -e "/.X11-unix/s/^/#/nwnqn" | /bin/ed -s /etc/rc'

V. Solution

1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p6) or RELENG_4_4 (4.4-RELEASE-p13) security
branches dated after the respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch

b) Execute the following commands as root:

# cd /usr/src
# patch

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »