Current /tmp/.ICE-unix handling can lead to local DoS
Submitted by Jean Delvare
Assigned to Xorg Project Team
Description
When starting a new X session, one or more sockets are created in /tmp/.ICE-unix. One of these sockets is named after the PID of the process. This means that it is trivial for a local user of the system to prevent all other users from logging in, causing a local DoS. This can be done with the following command:
seq 1 $(cat /proc/sys/kernel/pid_max) | (cd /tmp/.ICE-unix && xargs touch)
I've verified it on a variety of Linux distributions, including Slackware 12.0, SLED10 SP2 and openSUSE 11.1.
Evil intentions left apart, as sockets created in /tmp/.ICE-unix are not deleted on logout, on systems with many users, logins will start failing eventually after some use time. I did experience this on a system with 3 users after just a few months (this is how I noticed the problem.)
I think that at least the sockets should be deleted when logging out. Then the socket names should be made non-predictable to prevent any local DoS attack.
Version: 7.4 (2008.09)