343911 – x11-apps/xinit: with startx, X is run unsecured from other local users in default setup

Bug 343911 - x11-apps/xinit: with startx, X is run unsecured from other local users in default setup

Summary: x11-apps/xinit: with startx, X is run unsecured from other local users in def...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-11-02 22:20 UTC by Faustus
Modified:	2011-04-28 22:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Faustus 2010-11-02 22:20:06 UTC

Unless the user customizes ~/.xserverrc, xinit runs X via /etc/X11/xinit/xserverrc (even if the user does customize ~/.xinitrc). The default xserverrc contains:

  exec /usr/bin/X -nolisten tcp

That is, xinit's "-auth" parameter is not passed to the X server. Suggest changing the contents to:

  #!/bin/sh
  exec /usr/bin/X -nolisten tcp "$@"

(it's a script, too - it's not sourced)

Check with

  XAUTHORITY= xhost

which should fail when authorization is enabled.

Note that there is pam_xauth for passing authorization cookies to other users.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2010-11-02 23:17:25 UTC

I can confirm Debian has also changed it's xserverrc to:

#!/bin/sh
exec /usr/bin/X -nolisten tcp "$@"

re: http://ftp.de.debian.org/debian/pool/main/x/xinit/xinit_1.2.0-2.diff.gz

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2010-11-02 23:36:31 UTC

Fixed in xinit-1.2.0-r4 (stabilize this one) and for ~arch users in 1.3.0-r1.

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2010-11-03 04:24:50 UTC

Arch teams, please test and mark stable:
=x11-apps/xinit-1.2.0-r4
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-11-03 09:36:48 UTC

x86 stable

Comment 5 Markos Chandras (RETIRED) gentoo-dev

2010-11-03 17:18:17 UTC

amd64 done

Comment 6 Mark Loeser (RETIRED) gentoo-dev

2010-11-05 01:44:56 UTC

ppc64 done

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2010-11-05 07:08:06 UTC

Stable for HPPA PPC.

Comment 8 Markus Meier gentoo-dev

2010-11-05 12:19:55 UTC

arm stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2010-11-13 19:21:47 UTC

alpha/ia64/s390/sh/sparc stable, closing