|Summary:||/tmp/.ICE-unix/ owned by non-root user|
|Product:||[Retired] Red Hat Linux||Reporter:||NILMONI DEB <ndeb>|
|Component:||XFree86||Assignee:||Mike A. Harris <mharris>|
|Status:||CLOSED ERRATA||QA Contact:||David Lawrence <dkl>|
|Version:||9||CC:||k.georgiou, mitr, notting|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-03-09 08:51:12 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description NILMONI DEB 2003-03-23 20:42:26 UTC
Description of problem: As explained in http://mail.gnome.org/archives/gnome-hackers/2001-September/msg00176.html the /tmp/.ICE-unix/ has user:user ownership. This makes it a security issue and also delays the startup of GUI. This may be due to a libICE bug ( https://listman.redhat.com/pipermail/enigma-list/2002-June/014027.html ) but the current culprit is the /etc/rc.sysinit script which has these lines: # Delete ICE locks rm -rf /tmp/.ICE-unix Even if the ownership of /tmp/.ICE-unix is changed to root:root, at the next reboot, these directory is deleted. Now, when X is started, a new /tmp/.ICE-unix is created with non-root ownership. The worksound is to have these lines instead in /etc/rc.sysinit : # Delete ICE locks rm -rf /tmp/.ICE-unix/* chown root:root /tmp/.ICE-unix/ Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. start X 2. check ownership of /tmp/.ICE-unix 3. Actual results: Non-root ownership of /tmp/.ICE-unix/ Expected results: /tmp/.ICE-unix/ should be owned by root:root Additional info:
Comment 1 NILMONI DEB 2003-05-01 22:49:46 UTC
The same problem is present it redhat 9. Can somebody make the small change in /etc/rc.sysinit and fix this ?
Comment 4 Mike A. Harris 2004-06-18 16:37:14 UTC
We're tracking this issue in the upstream bug report: http://freedesktop.org/bugzilla/show_bug.cgi?id=306 As Jim indicates in his initial comment, the solution for this is not immediately obvious. There are a number of approaches that could be taken, each one carrying various risks to code stability. We'll follow the progress upstream on this one, and once it's resolved there, it will eventually make it into newer Red Hat OS releases once we integrate newer X.Org X11 releases. For the time being, we might as well add the following: # Delete ICE locks rm -rf /tmp/.ICE-unix mkdir -p /tmp/.ICE-unix chown root:root /tmp/.ICE-unix While it isn't a real solution, it will likely work good enough for the most part.
Comment 5 Mike A. Harris 2004-06-18 16:38:07 UTC
Bill: Do the changes I propose above look ok to you?
Comment 6 Bill Nottingham 2004-06-28 20:02:37 UTC
Hm, that almost sounds like something should just own the directory.
Comment 7 Kostas Georgiou 2004-06-28 21:52:05 UTC
You probably also want to add chmod 1777 /tmp/.ICE-unix as well
Comment 8 Bill Nottingham 2004-06-28 22:11:43 UTC
Well, if the directory exists, none of the X code will ever a) remove it b) change the permissions, correct?
Comment 9 Havoc Pennington 2004-06-29 08:16:03 UTC
If we make the package own the dir, maybe it should move to /var/run/ICE/ ?
Comment 10 Kostas Georgiou 2004-06-29 09:02:28 UTC
I am not quite sure that it can be moved without breaking existing applications. It is hardcoded in libICE.* and there are quite a few statically linked X11 applications :( IMHO it has to be created at boot time under /tmp/.ICE-unix. It's quite common for admins to replace the /tmp partition without backing up anything (arguably a sysadmin error) so having a package owning it won't be enough i am afraid.
Comment 11 Mike A. Harris 2004-06-29 14:43:12 UTC
I don't think it is a good idea to have package owning files in /tmp, because by definition, /tmp is temporary and it is legal to blow it away. I think it's reasonable to add a kludge to initscripts to create the dir or fix the perms if it doesn't exist though, at least until a proper solution is implemented in a future X.Org release. Egbert/Jim were working out something last I saw, but I'm not sure when it's planned to go in. I'll have to ping them about that. I think hacking the initscripts will fix the short term problem mostly "good 'nuff" so to speak. ;o)
Comment 12 Bill Nottingham 2004-06-29 18:48:08 UTC
Added in initscripts CVS, will be in 7.58-1.
Comment 13 Kostas Georgiou 2004-06-30 09:33:38 UTC
Great, can you please add it in u3 for RHEL as well ?
Comment 14 Bill Nottingham 2004-06-30 19:22:28 UTC
Probably not at this time; could be queued for U4, though.
Comment 15 Bill Nottingham 2004-06-30 19:44:49 UTC
Will be in 7.31.15.EL-1 or later, whenever that is released.