Description: Avoid unsafe use of magic cookie as arg to xauth command for X11 forwarding
 Magic cookie can leak through /proc this way. There is a race here between
 this usually short-lived xauth command running and an attacker scraping
 the value from /proc. This can be exacerbated through use of
 X11Parameters=home_xauthority on a cluster with a shared home directory
 under heavy load.
 Fix CVE-2020-27746
Author: Tim Wickberg <tim@schedmd.com>
Origin: upstream, https://github.com/SchedMD/slurm/commit/07309deb45c33e735e191faf9dd31cca1054a15c
Date: 2020-11-12


--- a/src/common/x11_util.c
+++ b/src/common/x11_util.c
@@ -181,27 +181,45 @@
 	int i=0, status;
 	char *result;
 	char **xauth_argv;
+   char template[] = "/tmp/xauth-source-XXXXXX";
+   char *contents = NULL;
+   int fd;
+
+   /* protect against weak file permissions in old glibc */
+   umask(0077);
+   if ((fd = mkstemp(template)) < 0)
+           fatal("%s: could not create temp file", __func__);
+
+   xstrfmtcat(contents, "add %s/unix:%u MIT-MAGIC-COOKIE-1 %s\n",
+              host, display, cookie);
+   safe_write(fd, contents, strlen(contents));
+   xfree(contents);
+   close(fd);
 
 	xauth_argv = xmalloc(sizeof(char *) * 10);
-	xauth_argv[i++] = xstrdup("xauth");
-	xauth_argv[i++] = xstrdup("-v");
-	xauth_argv[i++] = xstrdup("-f");
-	xauth_argv[i++] = xstrdup(xauthority);
-	xauth_argv[i++] = xstrdup("add");
-	xauth_argv[i++] = xstrdup_printf("%s/unix:%u", host, display);
-	xauth_argv[i++] = xstrdup("MIT-MAGIC-COOKIE-1");
-	xauth_argv[i++] = xstrdup(cookie);
+   xauth_argv[i++] = "xauth";
+   xauth_argv[i++] = "-v";
+   xauth_argv[i++] = "-f";
+   xauth_argv[i++] = xauthority;
+   xauth_argv[i++] = "source";
+   xauth_argv[i++] = template;
 	xauth_argv[i++] = NULL;
 	xassert(i < 10);
 
 	result = run_command("xauth", XAUTH_PATH, xauth_argv, 10000, &status);
 
-	free_command_argv(xauth_argv);
+   (void) unlink(template);
+   xfree(xauth_argv);
+
 
 	debug2("%s: result from xauth: %s", __func__, result);
 	xfree(result);
 
 	return status;
+
+rwfail:
+   fatal("%s: could not write temporary xauth file", __func__);
+   return SLURM_ERROR;
 }
 
 extern int x11_delete_xauth(char *xauthority, char *host, uint16_t display)
