GNOME Bugzilla – Bug 87291
gdm should not open tcp ports by default
Last modified: 2003-07-08 08:30:44 UTC
I have no real statistics but I'd bet most people using gdm are using it on personal computers, not targeted (by default) at exporting X to other users. That way, gdm should not launch X and allowing X to listen to tcp connections. Proposed Correction: Instead of using: [servers] 0=Standard [server-Standard] name=Standard server command=/usr/X11R6/bin/X flexible=true Use: [servers] 0=Standard #0=AllowRemote [server-Standard] name=Standard server command=/usr/X11R6/bin/X -nolisten tcp flexible=true [server-AllowRemote] name=Standard server command=/usr/X11R6/bin/X flexible=true in /etc/X11/gdm/gdm.conf
It would be nice to do this with some config option rather then defining a new server. That is, if an option is set, then always add -nolisten tcp to the X command line.
The two server options proposed were provided simply with the intention of giving a clear example of how to allow remote connections to an administrator who's not had experience with gdm. A normal desktop user not only lacks the skill to manage his workstation, but also has little to no notions of security. That said, I don't think an option is needed here for 4 reasons: 1. this is a sane and safe default 2. only root can change this file or configure the system to use, or not, gdm 3. normal desktop users don't log to X remotely (so there's no need to expose them to unnecessary risks) 4. those that do usually have the systems set by professionals, who at least should have an idea of how to change the gdm.conf by editing the text file Finally, if an option is added to automatically add the '-nolisten tcp' flag, then that flag should have the default like: Allow remote user connections: [ ] <-- note that it's off or Do not allow remote user connections: [x] <-- note that it's on But I really think that there is no need for an option here. Setting remote user connections is a more advanced capability and can lay safely hidden in the human readable text config file.
Fixing this in cvs
Is this really fixed in recent version? Atleast RedHat still ships their gdm without "nolisten tcp" in current Rawhide. I'll check their bugzilla soon too. Perhaps this could be implemented in GDM Setup GUI, under "Security" tab?
Right. So I added https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98697 to RedHat's bugzilla. Nice to know there is one less security risk on account of default settings :)
the fix is adding the DisableTCP option and not adding -nolisten tcp to the command line. it is in the development version only and won't be backported to the stable version. When is the last time this really was a problem? The remote user still needs to have the correct cookie. A security hole would have to exist in X for this to be a problem.
A bug exploitable through a listening TCP port in some application. That's not exactly something rare... You need a cookie to be able to share an X connection, but not to gain advantage from a bug in the X server's socket for remote X clients...