Unlike every other GUI Loginmanager entrance listens on port 6000 Reproducible: Always Steps to Reproduce: 1. emerge entrance 2. edit rc.conf 3. restart /etc/init.d/xdm Actual Results: netstat -tulpen tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN Expected Results: disable tcp (start X with -nolisten tcp) Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.6. 8-gentoo-r3) ================================================================= System uname: 2.6.8-gentoo-r3 i686 Intel(R) Pentium(R) M processor 1.50GHz Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -O2 -msse2 -mmmx -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/s hare/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dv ipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config / /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -O2 -msse2 -mmmx -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/dis tributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X X.org apm avi berkdb bitmap-fonts cdparanoia cdr crypt cups dvd dvdr dvdr ead encode esd foomatic foomaticdb gdbm gif gimp gimpprint gnome gpm gtk gtk2 im lib jpeg lame libg++ libwww mad mikmod mmx mng motif mozilla moznocompose moznoi rc moznomail mp3 mpeg ncurses network nls ogg oggvorbis opengl oss pam pdf pdfli b perl png python qt quicktime readline sdl slang spell sse ssl svcd svga tcpd t etex theora tiff truetype vcd vim wmf x86 xml2 xmms xprint xv xvid zlib"
Mike this is your baby.
I'm not really sure what this bug is about -- is it related to entrance? or is it related to X not using nolisten by default? either way, this isn't a security bug. Kicking it over to vapier to make it his problem.
from http://lude.net/edocs/entrance.htm {Entrance - The Login-Manager} Currently known problems: Entrance starts X without -nolisten tcp. In other words, it will have the port 6000 wide open, which is a security threat. Of course you can firewall it, but in case the firewall is bypassed or doesn't work you might be in trouble. It is possible to change this behaviour by editing the source code before installing and compiling Entrance. Here's a quick howto: Edit /e17/apps/entrance/src/daemon/Entranced.h from the source directory. The line you need to edit is right in the beginning of the file: #define X_SERVER "/usr/bin/X11/X -quiet" Just add -nolisten tcp there so it will look like this: #define X_SERVER "/usr/bin/X11/X -quiet -nolisten tcp" Now compile and install Entrance as usual. This time port 6000 should be closed by default. You can verify this with a portscanner and checking your processes with the "ps aux" command. X should now have -nolisten tcp listed. --- confirmed this is still an issue with the latest cvs build (pulled 02.02.05). is this something to be worried about?
Created attachment 50281 [details, diff] entrance-9999.ebuild.diff this patch is against the cvs ebuild. it adds the line sed -i 's:\(#define X_SERVER "/usr/X11R6/bin/X -quiet\):\1\ -nolisten\ tcp:' ${S}/src/daemon/Entranced.h to the end of src_unpack(). tested and working here.
Created attachment 50340 [details, diff] entrance-x-options.patch try this patch instead
spawner.c: In function `Entranced_Start_Server_Once': spawner.c:129: warning: implicit declaration of function `e_db_str_get' spawner.c:129: error: `db' undeclared (first use in this function) spawner.c:129: error: (Each undeclared identifier is reported only once spawner.c:129: error: for each function it appears in.) spawner.c:129: warning: assignment makes pointer from integer without a cast make[3]: *** [spawner.o] Error 1 (edited patch): @@ -1,4 +1,5 @@ #include <Ecore.h> +#include <Edb.h> #include "Entranced.h" #include "auth.h" #include "util.h" spawner.c: In function `Entranced_Start_Server_Once': spawner.c:130: error: `db' undeclared (first use in this function) spawner.c:130: error: (Each undeclared identifier is reported only once spawner.c:130: error: for each function it appears in.) make[3]: *** [spawner.o] Error 1
Comment on attachment 50340 [details, diff] entrance-x-options.patch this patch is crap, ignore it
talked to the e devs and they're aware of the issue ... they have a partial rewrite to address this issue in general so for now i'll just force the '-nolisten tcp' option