Bug#234788: Major data loss because of .xsession-errors
On Mon, Mar 01, 2004 at 10:27:32AM -0500, Branden Robinson wrote: > On Sun, Feb 29, 2004 at 05:23:46PM -0500, Joey Hess wrote: > > Tomasz Wegrzanowski wrote: > > > When I tried it as root, X worked, but the /dev/null became 0600. > > > So it seems it wants to chmod 0600 .xsession-errors. > > > > That would probably be a security hole (at least a DOS: make ld.so 600 > > and the system stops working), but I cannot reproduce it with > > xserver-xfree86 4.2.1-10. > > It is the Xsession script in /etc/X11 that does this chmod. > [question to the general public:] Do you think this chmod should just go > away? Considering the tendency of X applications to spew gods only know what to stdout/stderr, and thus into .xsession-errors, this is probably still a good idea. I can't point to a case where there'd actually be security-sensitive information included therein, but if there were... Paranoia over all, I suppose. -- Marc Wilson | "You who hate the Jews so, why did you adopt their [EMAIL PROTECTED] | religion?" -- Friedrich Nietzsche, addressing | anti-semitic Christians
Bug#234788: Major data loss because of .xsession-errors
On Sun, Feb 29, 2004 at 05:23:46PM -0500, Joey Hess wrote:
> Tomasz Wegrzanowski wrote:
> > When I tried it as root, X worked, but the /dev/null became 0600.
> > So it seems it wants to chmod 0600 .xsession-errors.
>
> That would probably be a security hole (at least a DOS: make ld.so 600
> and the system stops working), but I cannot reproduce it with
> xserver-xfree86 4.2.1-10.
It is the Xsession script in /etc/X11 that does this chmod.
80 # attempt to create an error file; abort if we cannot
81 if touch $ERRFILE 2> /dev/null && [ -w $ERRFILE ]; then
82 chmod 600 "$ERRFILE"
83 elif ERRFILE=$(tempfile 2> /dev/null); then
84 if ! ln -sf "$ERRFILE" "${TMPDIR:=/tmp}/xsession-$USER"; then
85 message "warning: unable to symlink \"$TMPDIR/xsession-$USER\" to" \
86 "\"$ERRFILE\"; look for session log/errors in" \
87 "\"$TMPDIR/xsession-$USER\"."
88 fi
89 else
90 errormsg "unable to create X session log/error file; aborting."
91 fi
[question to the general public:] Do you think this chmod should just go
away?
I could only do the chmod if $ERRFILE is a symlink, I suppose. Would
that be better?
--
G. Branden Robinson| If you're handsome, it's flirting.
Debian GNU/Linux | If you're a troll, it's sexual
[EMAIL PROTECTED] | harassment.
http://people.debian.org/~branden/ | -- George Carlin
signature.asc
Description: Digital signature
Bug#234788: Major data loss because of .xsession-errors
root could setup /dev/xsession-errors or even ~/.xsession-errors to be an acctual null dev with a cp -a and a chown. --- Tomasz Wegrzanowski <[EMAIL PROTECTED]> wrote: > On Sun, Feb 29, 2004 at 05:23:46PM -0500, Joey Hess wrote: > > Tomasz Wegrzanowski wrote: > > > When I tried it as root, X worked, but the /dev/null became 0600. > > > So it seems it wants to chmod 0600 .xsession-errors. > > > > That would probably be a security hole (at least a DOS: make ld.so 600 > > and the system stops working), but I cannot reproduce it with > > xserver-xfree86 4.2.1-10. > > Only if you can ln -sf /lib/ld.so /root/.xsession-errors, what you > probably cannot. User with normal rights can't chmod /dev/null, and > that's (probably) why it crashes. > > __ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools
Bug#234788: Major data loss because of .xsession-errors
On Sun, Feb 29, 2004 at 05:23:46PM -0500, Joey Hess wrote: > Tomasz Wegrzanowski wrote: > > When I tried it as root, X worked, but the /dev/null became 0600. > > So it seems it wants to chmod 0600 .xsession-errors. > > That would probably be a security hole (at least a DOS: make ld.so 600 > and the system stops working), but I cannot reproduce it with > xserver-xfree86 4.2.1-10. Only if you can ln -sf /lib/ld.so /root/.xsession-errors, what you probably cannot. User with normal rights can't chmod /dev/null, and that's (probably) why it crashes.
Bug#234788: Major data loss because of .xsession-errors
Tomasz Wegrzanowski wrote: > When I tried it as root, X worked, but the /dev/null became 0600. > So it seems it wants to chmod 0600 .xsession-errors. That would probably be a security hole (at least a DOS: make ld.so 600 and the system stops working), but I cannot reproduce it with xserver-xfree86 4.2.1-10. -- see shy jo signature.asc Description: Digital signature
Bug#234788: Major data loss because of .xsession-errors
On Sat, Feb 28, 2004 at 12:56:59PM -0500, Branden Robinson wrote: > > Rant aside, this does not work - the X kills itself on start if > > $HOME/.xsession-errors is linked to /dev/null. And deleting it afterwards > > doesn't make the problem disappear - it can still take arbitrary amounts > > of diskspace, that would be freed only after closing the file - that is, > > killing X. > > Hmm, you got me there, I had never actually tried this. > > Odd. Something is trying to seek the file? When I tried it as root, X worked, but the /dev/null became 0600. So it seems it wants to chmod 0600 .xsession-errors.
Bug#234788: Major data loss because of .xsession-errors
On Sat, Feb 28, 2004 at 02:01:57PM +0100, Tomasz Wegrzanowski wrote: > On Thu, Feb 26, 2004 at 02:44:37PM -0500, Branden Robinson wrote: > > .xsession-error's "design" is simple. It is a Unix file to which the > > Unix standard output and standard error streams get redirected. > > > > I am probably not qualified to architect a replacement for something as > > venerable as Unix file I/O; I suggest you get in touch with Ken Thompson > > and Dennis Ritchie. > > > > In the meantime, I have a workaround to recommend: > > > > $ ln -sf /dev/null $HOME/.xsession-errors > > Rant aside, this does not work - the X kills itself on start if > $HOME/.xsession-errors is linked to /dev/null. And deleting it afterwards > doesn't make the problem disappear - it can still take arbitrary amounts > of diskspace, that would be freed only after closing the file - that is, > killing X. Hmm, you got me there, I had never actually tried this. Odd. Something is trying to seek the file? > Can you at least fix it to the point that such workaround actually works ? Well, not until I find out what the problem is. In the meantime, please try to identify the app that spewed 1.5GB of noise to stdout or stderr, and file a bug on it. -- G. Branden Robinson|There is no housing shortage in Debian GNU/Linux |Lincoln today -- just a rumor that [EMAIL PROTECTED] |is put about by people who have http://people.debian.org/~branden/ |nowhere to live.-- G. L. Murfin signature.asc Description: Digital signature
Bug#234788: Major data loss because of .xsession-errors
On Thu, Feb 26, 2004 at 02:44:37PM -0500, Branden Robinson wrote: > .xsession-error's "design" is simple. It is a Unix file to which the > Unix standard output and standard error streams get redirected. > > I am probably not qualified to architect a replacement for something as > venerable as Unix file I/O; I suggest you get in touch with Ken Thompson > and Dennis Ritchie. > > In the meantime, I have a workaround to recommend: > > $ ln -sf /dev/null $HOME/.xsession-errors Rant aside, this does not work - the X kills itself on start if $HOME/.xsession-errors is linked to /dev/null. And deleting it afterwards doesn't make the problem disappear - it can still take arbitrary amounts of diskspace, that would be freed only after closing the file - that is, killing X. Can you at least fix it to the point that such workaround actually works ?
Processed: Re: Bug#234788: Major data loss because of .xsession-errors
Processing commands for [EMAIL PROTECTED]: > severity 234788 wishlist Bug#234788: Major data loss because of .xsession-errors Severity set to `wishlist'. > retitle 234788 xfree86: change design of Unix I/O stream handling Bug#234788: Major data loss because of .xsession-errors Changed Bug title. > tag 234788 + wontfix Bug#234788: xfree86: change design of Unix I/O stream handling Tags were: upstream woody sarge sid Tags added: wontfix > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#234788: Major data loss because of .xsession-errors
severity 234788 wishlist retitle 234788 xfree86: change design of Unix I/O stream handling tag 234788 + wontfix thanks On Wed, Feb 25, 2004 at 09:00:12PM +0100, Tomasz Wegrzanowski wrote: > Package: xserver-xfree86 > Version: 4.3.0-2 > Severity: critical > > Today .xsession-errors grew over 1.5 gigabyte, filling all free space on /home > partition. Because of that, other programs couldn't save their data, and > some very important data was lost. It's not the first time I lost data because > of sudden explossion of .xsession-errors, so I'm filling a bug report with > this severity. > > I have no idea which program caused so many errors. At the moment it's just > 5kB. > But that's not really relevant. The problem is that the .xsession-errors is > misdesigned and must be fixed - I don't care how - by setting reasonable > limits > on its size, limiting kind of errors that have to be logged, removing it > altogether, > or some other way. But the current situation is not acceptable. Hi, .xsession-error's "design" is simple. It is a Unix file to which the Unix standard output and standard error streams get redirected. I am probably not qualified to architect a replacement for something as venerable as Unix file I/O; I suggest you get in touch with Ken Thompson and Dennis Ritchie. In the meantime, I have a workaround to recommend: $ ln -sf /dev/null $HOME/.xsession-errors Thank you for your report, and if you should happen to visit Dennis or Ken, don't forget to get their autographs. -- G. Branden Robinson|To Republicans, limited government Debian GNU/Linux |means not assisting people they [EMAIL PROTECTED] |would sooner see shoveled into mass http://people.debian.org/~branden/ |graves. -- Kenneth R. Kahn signature.asc Description: Digital signature
Bug#234788: Major data loss because of .xsession-errors
Package: xserver-xfree86 Version: 4.3.0-2 Severity: critical Today .xsession-errors grew over 1.5 gigabyte, filling all free space on /home partition. Because of that, other programs couldn't save their data, and some very important data was lost. It's not the first time I lost data because of sudden explossion of .xsession-errors, so I'm filling a bug report with this severity. I have no idea which program caused so many errors. At the moment it's just 5kB. But that's not really relevant. The problem is that the .xsession-errors is misdesigned and must be fixed - I don't care how - by setting reasonable limits on its size, limiting kind of errors that have to be logged, removing it altogether, or some other way. But the current situation is not acceptable.
