Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 300375 - <x11-apps/xinit-1.2.0-r4: xserverrc starts Xserver without -auth
Summary: <x11-apps/xinit-1.2.0-r4: xserverrc starts Xserver without -auth
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-10 09:30 UTC by Klaus Kusche
Modified: 2014-12-12 00:20 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Klaus Kusche 2010-01-10 09:30:02 UTC
If X is started with startx, startx creates an Xauth cookie, installs it in ~/.Xauthority, sets the XAUTHORITY environment variable, and calls
"xinit /etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 -auth /home/xxx/.serverauth.4544".

However, /etc/X11/xinit/xserverrc ist just "exec /usr/bin/X -nolisten tcp".
It ignores the arguments passed to it ("-auth ...") and starts the X server
without any authentication.

I noticed because other local users were able to connect to my X session without having my .Xauthority !
Please change /etc/X11/xinit/xserverrc to something like "exec /usr/bin/X -nolisten tcp $*".
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-10 15:52:25 UTC
x11: please advice.
Restricting bug as this might be an unknown bug.
Comment 2 Mike Doty (RETIRED) gentoo-dev 2010-01-10 16:06:48 UTC
Craig-

You must CC individual people, not the alias.
Comment 3 Rémi Cardona gentoo-dev 2010-01-19 21:25:42 UTC
Sigh... startx... again. Do you know if other distros (Debian for example) have similar issues and if they scripts we could "borrow" ? In any case, startx is not really the "recommended" way to start Xorg these days... Not really worth the fuss IMHO, but I'll gladly apply patches.

Cheers
Comment 4 Klaus Kusche 2010-01-20 17:29:40 UTC
I don't know about other distributions, I'm Gentoo only.

But for me, simply changing /etc/X11/xinit/xserverrc from 
"exec /usr/bin/X -nolisten tcp" to
"exec /usr/bin/X -nolisten tcp $*" worked.

Perhaps someone of the X masters can comment on it?
Comment 5 Rémi Cardona gentoo-dev 2010-01-20 22:10:07 UTC
(In reply to comment #4)
> I don't know about other distributions, I'm Gentoo only.
> 
> But for me, simply changing /etc/X11/xinit/xserverrc from 
> "exec /usr/bin/X -nolisten tcp" to
> "exec /usr/bin/X -nolisten tcp $*" worked.

I know that's one possible fix, I was just curious if/how other distros handled startx. Guess I'll have to dig myself if I want to learn more.

> Perhaps someone of the X masters can comment on it?

That'd be me...

In any case, being still on devaway, if anyone wants to commit a patch, feel free to do so. Just keep this bug open so we backport the patch to the x11 overlay as well.

Thanks
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-12-12 15:23:34 UTC
It was commited a while ago, current /etc/X11/xinit/xserverrc:
#!/bin/sh
exec /usr/bin/X -nolisten tcp "$@"
Comment 7 Rémi Cardona gentoo-dev 2010-12-12 15:27:53 UTC
Indeed, this bug is fixed as far as X11 is concerned. @security, anything else to be done on your part?

Thanks
Comment 8 Tomáš Chvátal (RETIRED) gentoo-dev 2011-03-07 22:58:39 UTC
Ping, Opened for ~1 year, and fixed. So what is left?
Comment 9 Klaus Kusche 2011-03-08 06:12:57 UTC
Looks good to me, nothing left here.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-03-14 03:27:33 UTC
Thank you everyone. It looks like this was fixed in Bug 343911, without a GLSA. I have filed a GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:20:48 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).