FS#17042 - [xorg-xdm] complains that the session is insecure on login screen display

Attached to Project: Arch Linux
Opened by Jörg Kriegel (sokoban65) - Saturday, 07 November 2009, 08:56 GMT
Last edited by Jan de Groot (JGC) - Sunday, 08 November 2009, 20:50 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
xorg-xdm complains that the session is insecure on login screen display. This is because the package does not create a /var/lib/xdm directory. I gave it high severity because it affects security.

Additional info:
* package version : xorg-xdm 1.1.9-1 (tested on x86_64 but should also apply to i686)

Steps to reproduce:
* Make sure a local /var/lib/xdm doesn't exist
* (Re)install xorg-xdm 1.1.9-1
* Run xdm
* Xdm logs the error in /var/log/xdm.log

Workaround:
* mkdir /var/lib/xdm
This task depends upon

Closed by  Jan de Groot (JGC)
Sunday, 08 November 2009, 20:50 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.1.9-2.
Comment by Johannes Dewender (JonnyJD) - Saturday, 07 November 2009, 23:55 GMT
I can confirm this. I made a fresh install and I have the same problem.

Looks like xdm-auth was disabled: http://repos.archlinux.org/wsvn/packages/xorg-xdm/repos/extra-i686/PKGBUILD?op=log
because of http://bugs.archlinux.org/task/17016

Maybe that compile switch doesn't remove that feature completely?
Comment by Jörg Kriegel (sokoban65) - Sunday, 08 November 2009, 16:00 GMT
As I understand it the switch '--disable-xdm-auth' only disables XDM-AUTHENTICATION-1 access control.

Git Repository: http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=0ce4128e19f9fac9a565cce42a6a575486d371a5

The other method is MIT-MAGIC-COOKIE-1, which is also used. This can be easily checked with:

$ xauth list
host.domain:0 MIT-MAGIC-COOKIE-1 f7ded80a4c40b4cfed5cf68471b47120
[fe80::...]:0 MIT-MAGIC-COOKIE-1 f7ded80a4c40b4cfed5cf68471b47120
host/unix:0 MIT-MAGIC-COOKIE-1 f7ded80a4c40b4cfed5cf68471b47120

This is described in more detail in the Xsecurity man page.

It seems the default authdir path has just changed to /var/lib/xdm in the 1.1.9 release.

Git Repository: http://cgit.freedesktop.org/xorg/app/xdm/commit/?id=0c57a398cef50d13a821ad341ffb15ab0cbd2bad
Comment by Jan de Groot (JGC) - Sunday, 08 November 2009, 16:17 GMT
Any specific permissions that need to be set on this directory, or is 755 sufficient?
Comment by Jörg Kriegel (sokoban65) - Sunday, 08 November 2009, 16:28 GMT
755 should be ok. Xdm creates an /var/lib/xdm/authdir directory with 700.

Loading...