Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264998 - x11-apps/xdm-1.1.8 is listening on TCP by default
Summary: x11-apps/xdm-1.1.8 is listening on TCP by default
Status: RESOLVED DUPLICATE of bug 193044
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo X packagers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-05 18:17 UTC by Tim Weber
Modified: 2009-06-23 20:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Weber 2009-04-05 18:17:26 UTC
I just noted that my xdm is listening on TCP 0.0.0.0:6000 and :::6000 (IPv6) by default. This might not be a gaping security hole, but the default should probably be “-nolisten tcp” in /etc/X11/xdm/Xservers, shouldn’t it? IIRC this actually was the default once, why has it been changed?
Comment 1 Rémi Cardona (RETIRED) gentoo-dev 2009-04-08 09:51:31 UTC
Unless you actually allow incoming tcp connections using "xhost", this is not a problem. IMHO, this is not a problem.

Running X as root is imho a much bigger problem...

Thanks
Comment 2 Tim Weber 2009-04-08 11:11:50 UTC
Thanks for your reply.

However, i disagree with you on the security relevance of this setting. Every security researcher I know (and there are some) would probably say that not running a service at all is always more secure than running a service that doesn’t allow people to use it, because code that’s running can always be flawed.

When the X server stays configured like this per default, I see three main problems:

1. If there is a bug in Xorg even before the IP check that is configured with xhost, some kind of buffer overflow, DoS or whatever, the system is remotely exploitable. There is for example lots of software that can be run via inetd or via a standalone daemon, and most authors of that software recommend to use inetd for access limiting — for a reason.

2. The system is more easily fingerprintable by port scans, for example. It might be helpful for an attacker to know that your host is running X.

3. You’re wasting resources. Yes, a listening socket or two isn’t _that_ much, but this is Gentoo, after all. ;)

I’d like to kindly ask you to confirm your decision with Gentoo’s security experts before closing this bug. No offense, but I have a security background and if this was _my_ distibution I would never use a default setting like this. Of course I will configure my machine for “-nolisten tcp”, but others might not know the implications and assume the default is safe. And even though I’m not saying it is _not_, I’m saying that it could be _safer_.

I hope you don’t take this as personal offense or “nagging around”, I’m just concerned about (what some might see as unimportant details of) my favorite distro.
Comment 3 Rémi Cardona (RETIRED) gentoo-dev 2009-06-23 20:12:55 UTC

*** This bug has been marked as a duplicate of bug 193044 ***