My xchat is built with the xchatdccserver-flag and I can use the /dccserver-command to open listening ports for incoming file-transfers. Now if I start any subprocess like "Run new Mozilla" or simply "/exec bash" and close or change the dccserver port, netstat shows the subprocess as the owner of that port and the port is blocked until the process is killed. - I dont know if it's a security issue but I think ports should never be open for no reason. I was a bit puzzled when I saw that the first time. Reproducible: Always Steps to Reproduce: 1. xchat: /DCCSERVER + 6666 2. xchat: /exec bash --> netstat: tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 10030/xchat-2 3. xchat: /DCCSERVER - --> netstat: tcp 0 0 0.0.0.0:6666 0.0.0.0:* LISTEN 23524/bash Actual Results: listening port still open and blocked for any other process Expected Results: listening port closed emerge info: Portage 2.0.51-r15 (default-linux/x86/2004.3, gcc-3.4.3, glibc-2.3.4.20040808-r1, 2.6.10-gentoo-r6-2 i686) ================================================================= System uname: 2.6.10-gentoo-r6-2 i686 Pentium III (Katmai) Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb 8 2005, 12:06:00)] dev-lang/python: 2.3.4-r1 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.4 sys-devel/binutils: 2.15.92.0.2-r1 sys-devel/libtool: 1.5.10-r4 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://ftp.easynet.nl/mirror/gentoo/ http://ftp.du.se/pub/os/gentoo http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/" LANG="de_DE@euro" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X acpi apache2 apm avi berkdb bigger-fonts bindist bitmap-fonts bonobo cdr crypt cups dga directfb divx4linux dv dvb dvd emboss encode esd ethereal f77 fam fbcon flac font-server foomaticdb fortran gcj gdbm gif gimpprint gnome gnutls gphoto2 gstreamer gtk gtk2 guile idea imagemagick imlib java jpeg ldap libg++ libwww lirc live mad maildir matroska mikmod mmap mmx mng mozilla moznocompose moznoirc mozsvg mpeg mule mysql ncurses network nls nocardbus nopri nozaptel nvidia offensive ogg oggvorbis opengl oss pam pdflib perl plotutils png ppds prelude python quicktime readline real scanner sdl slang speex spell sse ssl svg tcpd tetex theora tiff truetype truetype-fonts type1-fonts unicode usb v4l v4l2 videos wmf xchatdccserver xml xml2 xmms xv xvid zlib" Unset: ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS
afaik xchat dcc server is more a proof of concept and should be used with care, i wonder who ever introduced a USE flag for this ?
I added it wrt bug #54509. It's experimental, but official support has been added to the 2.4.1b windows version, so I expect official support for Linux or other supported OSes in the next version. Concerning this bug, I'll look at the patch and modify it to close the DCC server port on /exec and pass the modified patch upstream.
I'm not sure if official support will be included in the Linux version soon. The source for dccserver is not in xchat's cvs and with wanting money for the windows version the author might not do it ever. As for the bug, just to make clear: it also happens when the built-in xchat-commands open a browser from an url (or gftp or probably anything). I don't know if it just uses the '/exec' command internally.
While modifying the dccserver patch I noticed that xchat exposes all open sockets and files to it's child. I'll patch it and send it to xchat's author. firefox 22557 sven 5w REG 253,3 28374 31384 /home/sven/.xchat2/xchatlogs/QuakeNet-quakenet.log firefox 22557 sven 7u IPv4 756730 TCP luna.wegener.lan.stealer.net:20243->sw.de.quakenet.org:ircd (ESTABLISHED)
Patch sent to zed.
Patch has been commited to the xchat CVS repository. I've included the patch in our ebuild and bump the revision to -r1.