Summary: | entrance default listens on port 6000 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel <d_lord> |
Component: | Current packages | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | rhill |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
entrance-9999.ebuild.diff
entrance-x-options.patch |
Description
Daniel
2004-09-30 04:07:16 UTC
Mike this is your baby. I'm not really sure what this bug is about -- is it related to entrance? or is it related to X not using nolisten by default? either way, this isn't a security bug. Kicking it over to vapier to make it his problem. from http://lude.net/edocs/entrance.htm {Entrance - The Login-Manager} Currently known problems: Entrance starts X without -nolisten tcp. In other words, it will have the port 6000 wide open, which is a security threat. Of course you can firewall it, but in case the firewall is bypassed or doesn't work you might be in trouble. It is possible to change this behaviour by editing the source code before installing and compiling Entrance. Here's a quick howto: Edit /e17/apps/entrance/src/daemon/Entranced.h from the source directory. The line you need to edit is right in the beginning of the file: #define X_SERVER "/usr/bin/X11/X -quiet" Just add -nolisten tcp there so it will look like this: #define X_SERVER "/usr/bin/X11/X -quiet -nolisten tcp" Now compile and install Entrance as usual. This time port 6000 should be closed by default. You can verify this with a portscanner and checking your processes with the "ps aux" command. X should now have -nolisten tcp listed. --- confirmed this is still an issue with the latest cvs build (pulled 02.02.05). is this something to be worried about? Created attachment 50281 [details, diff]
entrance-9999.ebuild.diff
this patch is against the cvs ebuild. it adds the line
sed -i 's:\(#define X_SERVER "/usr/X11R6/bin/X -quiet\):\1\ -nolisten\ tcp:'
${S}/src/daemon/Entranced.h
to the end of src_unpack(). tested and working here.
Created attachment 50340 [details, diff]
entrance-x-options.patch
try this patch instead
spawner.c: In function `Entranced_Start_Server_Once': spawner.c:129: warning: implicit declaration of function `e_db_str_get' spawner.c:129: error: `db' undeclared (first use in this function) spawner.c:129: error: (Each undeclared identifier is reported only once spawner.c:129: error: for each function it appears in.) spawner.c:129: warning: assignment makes pointer from integer without a cast make[3]: *** [spawner.o] Error 1 (edited patch): @@ -1,4 +1,5 @@ #include <Ecore.h> +#include <Edb.h> #include "Entranced.h" #include "auth.h" #include "util.h" spawner.c: In function `Entranced_Start_Server_Once': spawner.c:130: error: `db' undeclared (first use in this function) spawner.c:130: error: (Each undeclared identifier is reported only once spawner.c:130: error: for each function it appears in.) make[3]: *** [spawner.o] Error 1 Comment on attachment 50340 [details, diff]
entrance-x-options.patch
this patch is crap, ignore it
talked to the e devs and they're aware of the issue ... they have a partial rewrite to address this issue in general so for now i'll just force the '-nolisten tcp' option |