FS#9053 : [security] '-nolisten tcp' by default for X, kdm

FS#9053 - [security] '-nolisten tcp' by default for X, kdm

Attached to Project: Arch Linux
Opened by sd (vfork_0x00f) - Sunday, 30 December 2007, 09:08 GMT
Last edited by Alexander Baldeck (kth5) - Tuesday, 15 January 2008, 19:31 GMT

Task Type	Feature Request
Category	Packages: Extra
Status	Closed
Assigned To	Aaron Griffin (phrakture) Alexander Baldeck (kth5)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version	2007.08-2
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	5 Victor Museteanu (vik) (2008-01-04) Gil (Nelani) (2008-01-04) sd (vfork_0x00f) (2008-01-01) Martin Sandsmark (sandsmark) (2007-12-30) Greg (dolby) (2007-12-30)
Private	No

Details

Description:

I suggest to made '-nolisten tcp' the default configuration when starting up X ?

In Debian, Ubuntu, Fedora, Red Hat, Suse, OpenBSD and probably many others, X port listening is disabled as a security measure. This means that, as shipped, kdm (or xdm/gdm) is not reachable via the network and is unable to manage X servers running on remote hosts. This is not a big problem, since most people do not need to enable port listening in kdm. SSH forwards for X11 or export DISPLAY should cover most users needs.

May I suggest to do the same in Arch and add '-nolisten tcp' as default in startx and /opt/kde/share/config/kdm/kdmrc ?

This is easy to do (one line to change), it does not compromise 'the Arch Way' and the security benefit is real.

Additional info:

* package version(s)

extra/xorg-xinit 1.0.7-2
extra/kdebase 3.5.8-2

* config and/or log files etc.

/usr/bin/startx
/opt/kde/share/config/kdm/kdmrc

This task depends upon

Closed by Alexander Baldeck (kth5)
Tuesday, 15 January 2008, 19:31 GMT
Reason for closing: Implemented
Additional comments about closing: added default xserverrc with -notcp option

Comment by Aaron Griffin (phrakture) - Friday, 04 January 2008, 07:40 GMT

Field changed: Status (Unconfirmed → Assigned)
Task assigned to Tobias Powalowski (tpowa), Alexander Baldeck (kth5), Aaron Griffin (phrakture)

This one is a tad important. It's really simple and a much saner default config. I have had a sed line in the slim PKGBUILD for a while to do just this

Can someone verify that only kdebase and xorg-xinit need changes? I'm sure there's a gdm-based change somewhere?

Comment by sd (vfork_0x00f) - Friday, 04 January 2008, 12:16 GMT

I do not use gdm, but I think there is an option "DisallowTCP=true" that must be uncommented in

/usr/share/gdm/factory-defaults.conf

and/or

/usr/share/gdm/defaults.conf

Comment by Tobias Powalowski (tpowa) - Sunday, 06 January 2008, 07:45 GMT

on a default kdm config you cannot connect with xdmcp, it is disabled by default

Comment by sd (vfork_0x00f) - Monday, 07 January 2008, 17:11 GMT

X11 port is open unless kdm is started with nolisten tcp.

Comment by Tobias Powalowski (tpowa) - Friday, 11 January 2008, 09:35 GMT

fixed in new kdmrc file, what's the status of xorg-init?

Comment by Jens Adam (byte) - Friday, 11 January 2008, 13:25 GMT

You could add a /etc/skel/.xserverrc, like this:

#!/bin/sh
exec /usr/bin/X :0 -nolisten tcp

Comment by Aaron Griffin (phrakture) - Friday, 11 January 2008, 20:45 GMT

Hrm, the .xserverrc entry is a fairly concise way to solve this, but I'd still kinda like it solved at the top level too. So maybe we could do both in xorg-xinit?

Alex, could you respond here?

Comment by Jens Adam (byte) - Saturday, 12 January 2008, 00:17 GMT

Hm, why didn't I look at /usr/bin/startx before?
/etc/X11/xinit/xserverrc or $defaultserverargs (in startx)?

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#9053 - [security] '-nolisten tcp' by default for X, kdm

Details

Loading...