Bug 22586

Summary: Current /tmp/.ICE-unix handling can lead to local DoS
Product: xorg Reporter: Jean Delvare <jdelvare>
Component: Lib/ICEAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED MOVED QA Contact: Xorg Project Team <xorg-team>
Severity: major    
Priority: high CC: eich, mat
Version: 7.4 (2008.09)   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard: 2011BRB_Reviewed
i915 platform: i915 features:

Description Jean Delvare 2009-07-01 11:03:33 UTC 
When starting a new X session, one or more sockets are created in /tmp/.ICE-unix. One of these sockets is named after the PID of the process. This means that it is trivial for a local user of the system to prevent all other users from logging in, causing a local DoS. This can be done with the following command:

seq 1 $(cat /proc/sys/kernel/pid_max) | (cd /tmp/.ICE-unix && xargs touch)

I've verified it on a variety of Linux distributions, including Slackware 12.0, SLED10 SP2 and openSUSE 11.1.

Evil intentions left apart, as sockets created in /tmp/.ICE-unix are not deleted on logout, on systems with many users, logins will start failing eventually after some use time. I did experience this on a system with 3 users after just a few months (this is how I noticed the problem.)

I think that at least the sockets should be deleted when logging out. Then the socket names should be made non-predictable to prevent any local DoS attack.
Comment 1 Jeremy Huddleston Sequoia 2011-10-06 11:03:18 UTC 
Admins should set perms on /tmp/.ICE-unix and friends such that only authorized 
local users can create those sockets ... I realize tthat doesn't really help 
the situation, but it makes me think this isn't that big of an issue.
Comment 2 GitLab Migration User 2018-08-10 20:19:52 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libice/issues/1.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.