If X is started with startx, startx creates an Xauth cookie, installs it in ~/.Xauthority, sets the XAUTHORITY environment variable, and calls
"xinit /etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 -auth /home/xxx/.serverauth.4544".
However, /etc/X11/xinit/xserverrc ist just "exec /usr/bin/X -nolisten tcp".
It ignores the arguments passed to it ("-auth ...") and starts the X server
without any authentication.
I noticed because other local users were able to connect to my X session without having my .Xauthority !
Please change /etc/X11/xinit/xserverrc to something like "exec /usr/bin/X -nolisten tcp $*".
x11: please advice.
Restricting bug as this might be an unknown bug.
You must CC individual people, not the alias.
Sigh... startx... again. Do you know if other distros (Debian for example) have similar issues and if they scripts we could "borrow" ? In any case, startx is not really the "recommended" way to start Xorg these days... Not really worth the fuss IMHO, but I'll gladly apply patches.
I don't know about other distributions, I'm Gentoo only.
But for me, simply changing /etc/X11/xinit/xserverrc from
"exec /usr/bin/X -nolisten tcp" to
"exec /usr/bin/X -nolisten tcp $*" worked.
Perhaps someone of the X masters can comment on it?
(In reply to comment #4)
> I don't know about other distributions, I'm Gentoo only.
> But for me, simply changing /etc/X11/xinit/xserverrc from
> "exec /usr/bin/X -nolisten tcp" to
> "exec /usr/bin/X -nolisten tcp $*" worked.
I know that's one possible fix, I was just curious if/how other distros handled startx. Guess I'll have to dig myself if I want to learn more.
> Perhaps someone of the X masters can comment on it?
That'd be me...
In any case, being still on devaway, if anyone wants to commit a patch, feel free to do so. Just keep this bug open so we backport the patch to the x11 overlay as well.
It was commited a while ago, current /etc/X11/xinit/xserverrc:
exec /usr/bin/X -nolisten tcp "$@"
Indeed, this bug is fixed as far as X11 is concerned. @security, anything else to be done on your part?
Ping, Opened for ~1 year, and fixed. So what is left?
Looks good to me, nothing left here.
Thank you everyone. It looks like this was fixed in Bug 343911, without a GLSA. I have filed a GLSA request.
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).