following the security guide (http://www.gentoo.org/doc/en/gentoo-security.xml) i editet startx as stated in Code listing 5.7: /usr/X11R6/bin/startx defaultserverargs="-nolisten tcp" after updating the xfree-package, these changes are lost (happend due to the last to xfree upgrades). wouldn't it be wise to either config-protect /usr/X11R6/bin/startx and/or change the gentoo-security-guide (e.g. remove the defaultserverargs-thing and recommend a wrapper script instead of this). regards, wernfried Reproducible: Always Steps to Reproduce: 1. emerge xfree 2. change /usr/X11R6/bin/startx 3. emerge xfree (next version) Actual Results: port 6000 is open Expected Results: leave the confifile alone Portage 2.0.47-r10 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.20 i686 AMD Duron(tm) processor GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo ftp://ftp.easynet.nl/ mirror/gentoo// http://gentoo.oregonstate.edu/ http://www.ibiblio.org/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share /config /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 oss apm avi crypt gif libg++ libwww mikmod mmx mpeg nls quicktime spell xml2 gdbm berkdb ggi tcltk java guile gpm perl python imlib qt motif opengl 3dn ow aalib -alsa -arts dvd encode gtk jpeg kde mozilla ncurses oggvorbis pdflib pn g qz phyton readline ruby sdl slang tcpd tiff truetype wmf X xmms xv zlib -esd - svga ssl pam cdr cups -gnome +emacs" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=athlon -O3 -pipe -fomit-frame-pointer" CXXFLAGS="-march=athlon -O3 -pipe -fomit-frame-pointer" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" FEATURES="ccache sandbox userpriv usersandbox"
It's not really a conf file. You should be able to add it to /usr/X11/xdm/Xservers Something like :- :0 local /usr/X11R6/bin/X vt7 -nolisten tcp and/or ~/.xserverrc and/or /etc/X11/xinit/xserverrc Something like :- /usr/X11R6/bin/X -nolisten tcp
oops, that first one should say /etc/X11/xdm/Xservers The doc seems to cover at least 1 of these alternatives, and 1 other for gnome I wasn't aware of. I've reassigned to one of the listed editors they may want to change the doc.
I'll take this one.
The xdm-solution probably only works if you start X when you boot, not when you just type in "startx". I'm adding a paragraph on protecting /usr/X11R6/bin/startx.
Proposed fix,part of bug #26705: @@ -1591,6 +1599,16 @@ </pre> <p> +To make sure that <c>startx</c> doesn't get overwritten when you emerge +a newer XFree you must protect it. Add the following line to +<path>/etc/make.conf</path>: +</p> + +<pre caption = "/etc/make.conf"> +CONFIG_PROTECT_MASK="/usr/X11R6/bin/startx" +</pre> + +<p> If you use a graphical login manager you need a different approach. </p>
Committed
