FS#52344 - [mate-session-manager] Default configuration is to listen on TCP ports
Attached to Project:
Community Packages
Opened by Andy (Andy Random) - Tuesday, 03 January 2017, 04:13 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 18 January 2017, 12:48 GMT
Opened by Andy (Andy Random) - Tuesday, 03 January 2017, 04:13 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 18 January 2017, 12:48 GMT
|
Details
Description:
The MATE Session Handler (/usr/bin/mate-session) default configuration is to listen on a TCP V4 and TCP V6 port. This is a total unnecessary security risk. Additional info: * package version(s) Arch Linux i386 (but very likely on all platforms) mate-session-manager 1.16.0-2 (mate mate-gtk3) * config and/or log files etc. /etc/lightdm/lightdm.conf [XDMCPServer] #enabled=false ps axu | grep -e "X[org]" /usr/lib/xorg-server/Xorg :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch lsof -i -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mate-sess 899 user 13u IPv6 22760 0t0 TCP *:35757 (LISTEN) mate-sess 899 user 14u IPv4 22761 0t0 TCP *:43365 (LISTEN) Steps to reproduce: startx The software author is aware of the problem: grep -A1 -ne "security reasons" mate-session-manager-1.16.0/mate-session/gsm-xsmp-server.c 566: * hosts, so for security reasons it would be best if ICE didn't 567- * even open any non-local sockets. So we use an internal ICElib There are user complains since back from 2014: https://bbs.archlinux.org/viewtopic.php?id=182726 https://bbs.archlinux.de/viewtopic.php?id=25645 with ZERO REACTION ! Is this on purpure to increase the attack area of a default Mate installation ? And I couldn't find any documentation, nowhere, how to stop that. |
This task depends upon
Closed by Antonio Rojas (arojas)
Wednesday, 18 January 2017, 12:48 GMT
Reason for closing: Fixed
Additional comments about closing: mate-session-manager 1.16.0-3
Wednesday, 18 January 2017, 12:48 GMT
Reason for closing: Fixed
Additional comments about closing: mate-session-manager 1.16.0-3
https://github.com/mate-desktop/mate-session-manager/issues/131
But NO REACTION so far.
It may take only 20 min. for an experienced, security minded, coder to fix this.
This: https://www.sciencedaily.com/releases/2016/12/161206111641.htm may help
Doesn't look like the issue's being replicated on any distro other than Arch.