FS#52344 : [mate-session-manager] Default configuration is to listen on TCP ports

FS#52344 - [mate-session-manager] Default configuration is to listen on TCP ports

Attached to Project: Community Packages
Opened by Andy (Andy Random) - Tuesday, 03 January 2017, 04:13 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 18 January 2017, 12:48 GMT

Task Type	General Gripe
Category	Upstream Bugs
Status	Closed
Assigned To	Balló György (City-busz)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Andy (Andy Random) (2017-01-04)
Private	No

Details

Description:
The MATE Session Handler (/usr/bin/mate-session) default configuration is to listen on a TCP V4 and TCP V6 port. This is a total unnecessary security risk.

Additional info:
* package version(s)
Arch Linux i386 (but very likely on all platforms)
mate-session-manager 1.16.0-2 (mate mate-gtk3)

* config and/or log files etc.
/etc/lightdm/lightdm.conf
[XDMCPServer]
#enabled=false

ps axu | grep -e "X[org]"
/usr/lib/xorg-server/Xorg :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mate-sess 899 user 13u IPv6 22760 0t0 TCP *:35757 (LISTEN)
mate-sess 899 user 14u IPv4 22761 0t0 TCP *:43365 (LISTEN)

Steps to reproduce:
startx

The software author is aware of the problem:
grep -A1 -ne "security reasons" mate-session-manager-1.16.0/mate-session/gsm-xsmp-server.c
566: * hosts, so for security reasons it would be best if ICE didn't
567- * even open any non-local sockets. So we use an internal ICElib

There are user complains since back from 2014:
https://bbs.archlinux.org/viewtopic.php?id=182726
https://bbs.archlinux.de/viewtopic.php?id=25645
with ZERO REACTION !
Is this on purpure to increase the attack area of a default Mate installation ?
And I couldn't find any documentation, nowhere, how to stop that.

This task depends upon

Closed by Antonio Rojas (arojas)
Wednesday, 18 January 2017, 12:48 GMT
Reason for closing: Fixed
Additional comments about closing: mate-session-manager 1.16.0-3

Comment by Doug Newgard (Scimmia) - Wednesday, 04 January 2017, 15:55 GMT

Sounds like something you should take upstream.

Comment by Andy (Andy Random) - Wednesday, 04 January 2017, 20:27 GMT

I have done this.
https://github.com/mate-desktop/mate-session-manager/issues/131
But NO REACTION so far.
It may take only 20 min. for an experienced, security minded, coder to fix this.
This: https://www.sciencedaily.com/releases/2016/12/161206111641.htm may help

Comment by Benjamin Hodgetts (Enverex) - Wednesday, 18 January 2017, 11:17 GMT

This has been reported upstream - https://github.com/mate-desktop/mate-session-manager/issues/131

Doesn't look like the issue's being replicated on any distro other than Arch.

Comment by Dustin Falgout (lots0logs) - Wednesday, 18 January 2017, 11:58 GMT

The issue appears to be caused by a missing makedep (xtrans). See this comment on github issue for details: https://github.com/mate-desktop/mate-session-manager/issues/131#issuecomment-273455862

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#52344 - [mate-session-manager] Default configuration is to listen on TCP ports

Details

Loading...