FS#9053 - [security] '-nolisten tcp' by default for X, kdm
Attached to Project:
Arch Linux
Opened by sd (vfork_0x00f) - Sunday, 30 December 2007, 09:08 GMT
Last edited by Alexander Baldeck (kth5) - Tuesday, 15 January 2008, 19:31 GMT
Opened by sd (vfork_0x00f) - Sunday, 30 December 2007, 09:08 GMT
Last edited by Alexander Baldeck (kth5) - Tuesday, 15 January 2008, 19:31 GMT
|
Details
Description:
I suggest to made '-nolisten tcp' the default configuration when starting up X ? In Debian, Ubuntu, Fedora, Red Hat, Suse, OpenBSD and probably many others, X port listening is disabled as a security measure. This means that, as shipped, kdm (or xdm/gdm) is not reachable via the network and is unable to manage X servers running on remote hosts. This is not a big problem, since most people do not need to enable port listening in kdm. SSH forwards for X11 or export DISPLAY should cover most users needs. May I suggest to do the same in Arch and add '-nolisten tcp' as default in startx and /opt/kde/share/config/kdm/kdmrc ? This is easy to do (one line to change), it does not compromise 'the Arch Way' and the security benefit is real. Additional info: * package version(s) extra/xorg-xinit 1.0.7-2 extra/kdebase 3.5.8-2 * config and/or log files etc. /usr/bin/startx /opt/kde/share/config/kdm/kdmrc |
This task depends upon
Closed by Alexander Baldeck (kth5)
Tuesday, 15 January 2008, 19:31 GMT
Reason for closing: Implemented
Additional comments about closing: added default xserverrc with -notcp option
Tuesday, 15 January 2008, 19:31 GMT
Reason for closing: Implemented
Additional comments about closing: added default xserverrc with -notcp option
Can someone verify that only kdebase and xorg-xinit need changes? I'm sure there's a gdm-based change somewhere?
/usr/share/gdm/factory-defaults.conf
and/or
/usr/share/gdm/defaults.conf
#!/bin/sh
exec /usr/bin/X :0 -nolisten tcp
Alex, could you respond here?
/etc/X11/xinit/xserverrc or $defaultserverargs (in startx)?