Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 343911

Summary: x11-apps/xinit: with startx, X is run unsecured from other local users in default setup
Product: Gentoo Linux Reporter: Faustus <orlovm>
Component: Current packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: x11
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Faustus 2010-11-02 22:20:06 UTC 
Unless the user customizes ~/.xserverrc, xinit runs X via /etc/X11/xinit/xserverrc (even if the user does customize ~/.xinitrc). The default xserverrc contains:

  exec /usr/bin/X -nolisten tcp

That is, xinit's "-auth" parameter is not passed to the X server. Suggest changing the contents to:

  #!/bin/sh
  exec /usr/bin/X -nolisten tcp "$@"

(it's a script, too - it's not sourced)

Check with

  XAUTHORITY= xhost

which should fail when authorization is enabled.

Note that there is pam_xauth for passing authorization cookies to other users.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-11-02 23:17:25 UTC 
I can confirm Debian has also changed it's xserverrc to:

#!/bin/sh
exec /usr/bin/X -nolisten tcp "$@"

re: http://ftp.de.debian.org/debian/pool/main/x/xinit/xinit_1.2.0-2.diff.gz
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-11-02 23:36:31 UTC 
Fixed in xinit-1.2.0-r4 (stabilize this one) and for ~arch users in 1.3.0-r1.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-03 04:24:50 UTC 
Arch teams, please test and mark stable:
=x11-apps/xinit-1.2.0-r4
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-11-03 09:36:48 UTC 
x86 stable
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-11-03 17:18:17 UTC 
amd64 done
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2010-11-05 01:44:56 UTC 
ppc64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-05 07:08:06 UTC 
Stable for HPPA PPC.
Comment 8 Markus Meier gentoo-dev 2010-11-05 12:19:55 UTC 
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-11-13 19:21:47 UTC 
alpha/ia64/s390/sh/sparc stable, closing