By default, GDM and others include the security option '-nolisten tcp' in the Xserver init script. xdm's init scripts do not by default use this option (I noticed when conky showed me an open port I wasn't expecting). I think this arg should live in /etc/X11/xdm/Xservers, but someone probably knows better than I. Reproducible: Always Steps to Reproduce: 1. install xorg-x11 2. set up xdm as your display manager 3. start X, and look at your listening ports with netstat -l This may have been fixed already: I put -nolisten tcp into the file stated above, and I can't remember whether it's been updated or not.
This bug might be better attached to x11-apps/xinit - does that one include xdm? It's hard to tell with this modular stuff.
A patch has been made for xinit which adds nolisten tcp to the default server args: xinit/files/nolisten-tcp-and-black-background It adds to a variable declaration in a source code file. This is not the place to do it! startx.cpp reads in xserverrc, which _is_ a good place to put default server args.
startx.cpp becomes /usr/bin/startx during compile. Is that the place for default X server config?
The answer is no! /usr/bin/startx reads /etc/X11/xinit/xserverrc which is where -nolisten tcp should go. However, this is for configuring all xserver's default. According to xorg people in the irc channel, xserver default args should be configured per session manager in e.g. /etc/GDM/gdm.conf for gdm, and /etc/X11/xdm/Xservers for xdm. Those using startx manually may configure a .xserverrc as well as a .xinitrc, but the system-wide /etc/X11/xinit/xserverrc needs adding to the ebuild or the source xorg module, as it's missing, rather than modifying /usr/bin/startx!
*** Bug 201782 has been marked as a duplicate of this bug. ***
Bug 206633 , I do think this is a security issue.
It's not a security issue. Even if X is listening on TCP, you still need to be authenticated to run any clients. The only possibly relevant security issue would be one in X's authentication code. I'll quote from the other bug: "All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed."
*** Bug 264998 has been marked as a duplicate of this bug. ***
*** Bug 273927 has been marked as a duplicate of this bug. ***
@security, your call. We in the X herd believe the current situation is safe. Thanks
the security aspect is irrelevant. people should be free to control their system behavior based on their knowledge of how the system is being used. it certainly should not be the current situation where we force them to (1) search random places as to where this option could possibly be and (2) modify files that arent config protected and will be clobbered on next upgrade. if a conf.d option is too much effort, then simply make it a local USE flag.
It's only my opinion, but I reckon the bug should actually be a x11-apps/xdm bug, and the solution: a patch in the xdm ebuild which adds -nolisten tcp to the xdm options. I agree that forcing this option for all X configs in xinit is too draconian. The nolisten startx.cpp patch for xinit should go, if it hasn't already. I think /etc/X11/xdm/Xservers is the right place, but that's for xdm not xinit (- should I file a new bug?)
just keep the conversation here until we decide the way to go. the exact package isnt terribly relevant, the discussion is about "-nolisten tcp" usage.
(In reply to comment #4) > The answer is no! > /usr/bin/startx reads /etc/X11/xinit/xserverrc which is where -nolisten tcp > should go. > > However, this is for configuring all xserver's default. > > According to xorg people in the irc channel, xserver default args should be > configured per session manager in e.g. /etc/GDM/gdm.conf for gdm, and > /etc/X11/xdm/Xservers for xdm. > > Those using startx manually may configure a .xserverrc as well as a .xinitrc, > but the system-wide /etc/X11/xinit/xserverrc needs adding to the ebuild or the > source xorg module, as it's missing, rather than modifying /usr/bin/startx! > I couldn't agree more. That's how other distributions do it as well.
(In reply to comment #7) > It's not a security issue. Even if X is listening on TCP, you still need to be > authenticated to run any clients. The only possibly relevant security issue > would be one in X's authentication code. > > I'll quote from the other bug: > > "All these vulnerabilities, to be exploited successfully, require either > an already established connection to a running X server (and normally > running X servers are only accepting authenticated connections), or a > shell access with a valid user on the machine where the vulnerable > server is installed." > Some people/(sripts on their behalf) set "xhost +". That For that i do not need need an local account, right? I don't mind if that goes into server default or into all window managers configs, xinit and startx.
"xhost +" can be done by the person logged in, but that merely controls permissions. it makes no difference at all to the ports/protocols X listens with. as for adding that command to default scripts, that is a truly awful idea and a gaping security hole.
I've done my xinit homework and we now install /etc/X11/xinit/xserverrc which can be overridden with a per-user .xserverrc like we should have been doing all along. startx no longer hardcodes default arguments. This is now fixed in the x11 overlay's xinit-9999 ebuild and will be put in portage with the next release of xinit (which should be only a few days away). Thanks
remi++ thanks :)
thanks for doing the footwork here
