Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 334033 - x11-apps/xdm: leaves port 6000 open by default
Summary: x11-apps/xdm: leaves port 6000 open by default
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
: 382903 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-08-23 04:11 UTC by Elias Gabriel Amaral da Silva
Modified: 2016-02-20 06:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Elias Gabriel Amaral da Silva 2010-08-23 04:11:49 UTC 
xdm is not honoring /etc/X11/xinit/xserverrc. when I start my X session with it, and nmap myself from a remote computer, I see port 6000 open. netstat also confirms X is listening on *:6000. I suppose this is a security issue, so I'm setting severity to 'major'. my xserverrc is:

exec /usr/bin/X -nolisten tcp

(it's gentoo's default)

if I switch to slim at /etc/conf.d/xdm and restart it, I don't experience this issue (port 6000 is now closed)

I can't find a workaround.

eix says:

[I] x11-apps/xdm
     Available versions:  1.1.8 [M]1.1.9 {debug ipv6 pam}
     Installed versions:  1.1.8(03:19:49 AM 08/12/2010)(ipv6 pam -debug)
     Homepage:            http://xorg.freedesktop.org/
     Description:         X.Org xdm application


[I] x11-misc/slim
     Available versions:  1.3.1_p20091114 ~1.3.2 {branding pam screenshot}
     Installed versions:  1.3.1_p20091114(10:33:46 PM 07/04/2010)(branding pam -screenshot)
     Homepage:            http://slim.berlios.de
     Description:         Simple Login Manager

also


$ emerge --info =x11-apps/xdm-1.1.8
Portage 2.1.8.3 (default/linux/x86/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.35-gentoo-r2 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.35-gentoo-r2-x86_64-Intel-R-_Atom-TM-_CPU_N450_@_1.66GHz-with-gentoo-2.0.1
Timestamp of tree: Mon, 23 Aug 2010 01:45:02 +0000
ccache version 2.4 [disabled]
app-shells/bash:     4.0_p37
dev-java/java-config: 2.1.11
dev-lang/python:     2.5.4-r4, 2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r7
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4, 4.4.3-r2, 4.5.1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=core2 -mtune=generic --param l1-cache-size=24 --param l1-cache-line-size=64 --param l2-cache-size=512 -mssse3 -mfpmath=sse -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=core2 -mtune=generic --param l1-cache-size=24 --param l1-cache-line-size=64 --param l2-cache-size=512 -mssse3 -mfpmath=sse -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://www.las.ic.unicamp.br/pub/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/custom /usr/local/portage/gentoo-haskell"
SYNC="rsync://rsync1.br.gentoo.org/gentoo-portage"
USE="X acl acpi alsa bash-completion berkdb branding bzip2 cairo cjk cli cracklib crypt cups curl cxx dbus dri emacs fortran gdbm gif gnutls gpm gtk iconv ipv6 java java6 jpeg laptop libnotify modules mudflap ncurses network-cron nls nptl nptlonly ocaml ocamlopt opengl openmp pam pcre pdf perl png pppd python readline reflection ruby rubygems session spl ssl startup-notification svg sysfs tcpd threads unicode vim-syntax wifi x86 xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

x11-apps/xdm-1.1.8 was built with the following:
USE="ipv6 pam -debug"
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 23:52:05 UTC 
(In reply to comment #0)
> xdm is not honoring /etc/X11/xinit/xserverrc. 

There appears to be quite a bit of relevant history in Bug 193044. 

@x11, help?
Comment 2 Elias Gabriel Amaral da Silva 2011-01-02 01:59:05 UTC 
Oh, interesting. Andrew Hurst says there:

"The answer is no!
/usr/bin/startx reads /etc/X11/xinit/xserverrc which is where -nolisten tcp
should go.

However, this is for configuring all xserver's default.

According to xorg people in the irc channel, xserver default args should be
configured per session manager in e.g. /etc/GDM/gdm.conf for gdm, and
/etc/X11/xdm/Xservers for xdm."

my /etc/X11/xdm/Xservers is:

--

# $Xorg: Xserv.ws.cpp,v 1.3 2000/08/17 19:54:17 cpqbld Exp $
#
# Xservers file, workstation prototype
#
# This file should contain an entry to start the server on the
# local display; if you have more than one display (not screen),
# you can add entries to the list (one per line).  If you also
# have some X terminals connected which do not support XDMCP,
# you can add them here as well.  Each X terminal line should
# look like:
#	XTerminalName:0 foreign
#
:0 local /usr/bin/X :0 vt7

--


is this supposed to be adequate to issue -nolisten tcp? (I suppose not. Then, I request a new default for this config file)
Comment 3 William Throwe 2011-06-05 19:36:24 UTC 
Changing the last line of /etc/X11/xdm/Xservers to

:0 local /usr/bin/X :0 vt7 -nolisten tcp

seems to fix this.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2012-06-16 15:49:59 UTC 
*** Bug 382903 has been marked as a duplicate of this bug. ***
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 06:17:02 UTC 
port 6000 is no longer open in current stable versions