systemd create or overwrite arbitrary files

The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

diff --git a/src/login/logind-session.c b/src/login/logind-session.c
index e78af02..bb802e5 100644
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@@ -376,15 +376,13 @@ static int session_link_x11_socket(Session *s) {
return -ENOENT;
}
- t = strappend(s->user->runtime_path, "/X11/display");
+ t = strappend(s->user->runtime_path, "/X11-display");
if (!t) {
log_error("Out of memory");
free(f);
return -ENOMEM;
}
- mkdir_parents(t, 0755);
-
if (link(f, t) < 0) {
if (errno == EEXIST) {
unlink(t);
@@ -637,7 +635,7 @@ static int session_unlink_x11_socket(Session *s) {
s->user->display = NULL;
- t = strappend(s->user->runtime_path, "/X11/display");
+ t = strappend(s->user->runtime_path, "/X11-display");
if (!t) {
log_error("Out of memory");
return -ENOMEM;