Logfile symlink vulnerability

[Eran Tromer]

Harold L Hunt II wrote:
> Eran Tromer wrote:
>> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write
>> to whatever it's pointing to (see LogInit() in os/log.c). This allows
>> standard symlink-following attacks.
>
> In theory, but have you actually tried it and confirmed that it works
> with two different users that did not already both have permissions to
> overwrite the file in question?

Yes, I did verify it.

  Eran