If X is started with startx, startx creates an Xauth cookie, installs it in ~/.Xauthority, sets the XAUTHORITY environment variable, and calls "xinit /etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 -auth /home/xxx/.serverauth.4544". However, /etc/X11/xinit/xserverrc ist just "exec /usr/bin/X -nolisten tcp". It ignores the arguments passed to it ("-auth ...") and starts the X server without any authentication. I noticed because other local users were able to connect to my X session without having my .Xauthority ! Please change /etc/X11/xinit/xserverrc to something like "exec /usr/bin/X -nolisten tcp $*".
x11: please advice. Restricting bug as this might be an unknown bug.
Craig- You must CC individual people, not the alias.
Sigh... startx... again. Do you know if other distros (Debian for example) have similar issues and if they scripts we could "borrow" ? In any case, startx is not really the "recommended" way to start Xorg these days... Not really worth the fuss IMHO, but I'll gladly apply patches. Cheers
I don't know about other distributions, I'm Gentoo only. But for me, simply changing /etc/X11/xinit/xserverrc from "exec /usr/bin/X -nolisten tcp" to "exec /usr/bin/X -nolisten tcp $*" worked. Perhaps someone of the X masters can comment on it?
(In reply to comment #4) > I don't know about other distributions, I'm Gentoo only. > > But for me, simply changing /etc/X11/xinit/xserverrc from > "exec /usr/bin/X -nolisten tcp" to > "exec /usr/bin/X -nolisten tcp $*" worked. I know that's one possible fix, I was just curious if/how other distros handled startx. Guess I'll have to dig myself if I want to learn more. > Perhaps someone of the X masters can comment on it? That'd be me... In any case, being still on devaway, if anyone wants to commit a patch, feel free to do so. Just keep this bug open so we backport the patch to the x11 overlay as well. Thanks
It was commited a while ago, current /etc/X11/xinit/xserverrc: #!/bin/sh exec /usr/bin/X -nolisten tcp "$@"
Indeed, this bug is fixed as far as X11 is concerned. @security, anything else to be done on your part? Thanks
Ping, Opened for ~1 year, and fixed. So what is left?
Looks good to me, nothing left here.
Thank you everyone. It looks like this was fixed in Bug 343911, without a GLSA. I have filed a GLSA request.
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).