The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. diff --git a/src/login/logind-session.c b/src/login/logind-session.c index e78af02..bb802e5 100644 --- a/src/login/logind-session.c +++ b/src/login/logind-session.c @@ -376,15 +376,13 @@ static int session_link_x11_socket(Session *s) { return -ENOENT; } - t = strappend(s->user->runtime_path, "/X11/display"); + t = strappend(s->user->runtime_path, "/X11-display"); if (!t) { log_error("Out of memory"); free(f); return -ENOMEM; } - mkdir_parents(t, 0755); - if (link(f, t) < 0) { if (errno == EEXIST) { unlink(t); @@ -637,7 +635,7 @@ static int session_unlink_x11_socket(Session *s) { s->user->display = NULL; - t = strappend(s->user->runtime_path, "/X11/display"); + t = strappend(s->user->runtime_path, "/X11-display"); if (!t) { log_error("Out of memory"); return -ENOMEM;