Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201782 - x11-apps/xinit should ship xserverrc that disables tcp for X server by default.
Summary: x11-apps/xinit should ship xserverrc that disables tcp for X server by default.
Status: RESOLVED DUPLICATE of bug 193044
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo X packagers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-09 17:44 UTC by Samuli Suominen (RETIRED)
Modified: 2007-12-16 11:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 17:44:38 UTC
x11-apps/xinit should ship a file /etc/X11/xinit/xserverrc that contains:

-br -nolisten tcp

Instead of shipping this patch, x11-apps/xinit/files/nolisten-tcp-and-black-background.patch
which is then only used by startx, leaving other starting methods, like
startxfce4 vulnerable to remote attacks (open tcp 6000)

Starting from Xfce 4.4.2 this is worked around by,

xfce-base/xfce-utils/files/xfce-utils-4.4.2-nolisten-tcp.patch
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2007-12-09 17:45:27 UTC
Just to be clear, both startx and startxfce4 can use this standard xserverrc. Debian ships one, we should also.
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2007-12-10 05:24:19 UTC
I'm not sure why security is CC'd on here, as being open on port 6000 does not in itself cause any vulnerabilities. Remote users still require authentication (e.g., via xauth) to access X. Right now, I know gdm, kdm and startx all don't listen on 6000 by default, and I think xdm, which nobody uses, still does. There is bug #193044 for that, which this appears to be a duplicate of.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-12-16 11:19:46 UTC
No point in having to bugs then.

*** This bug has been marked as a duplicate of bug 193044 ***