GNOME Bugzilla – Bug 725100
gnome-session: listening on TCP port (high port)
Last modified: 2014-02-25 21:42:03 UTC
During a regular security audit, it was noted that gnome-session is listening on TCP Ports (random). The connection seems to be 'open' only, but nothing consuming the traffic. It's highly questionable why gnome-session would be listening on a TCP Port from remote hosts: tcp 2 0 0.0.0.0:52660 0.0.0.0:* LISTEN 1141/gnome-session tcp 0 0 :::56590 :::* LISTEN 1141/gnome-session Can this please be explained/documented?
maybe libICE is doing it? I see this in the code: #ifdef HAVE_X11_XTRANS_XTRANS_H• /* By default, IceListenForConnections will open one socket for each• * transport type known to X. We don't want connections from remote• * hosts, so for security reasons it would be best if ICE didn't• * even open any non-local sockets. So we use an internal ICElib• * method to disable them here. Unfortunately, there is no way to• * ask X what transport types it knows about, so we're forced to• * guess.• */• _IceTransNoListen ("tcp");• #endif• is that variable defined for you?
s/variable/preprocessor define/
Just checking the build log (currently no access to more): [ 182s] checking X11/Xtrans/Xtrans.h usability... no [ 182s] checking X11/Xtrans/Xtrans.h presence... no [ 182s] checking for X11/Xtrans/Xtrans.h... no => It's assume that this is indeed the 'issue' here.
Do you mind writing a patch to make libXtrans a hard buildrequires (say PKG_CHECK_MODULES(xtrans)? Or we could NOTABUG this, too, I guess. what's your take?
I'l provide a patch later this evening... i'd suggest something alone the lines: - Check if it's there + If not: ABORT if the user did not specifically say he does not want it => This would allow to override if it's really not needed (with a possible notice on that this will open ICE Sockets 'to the outside') What do you think of that?
Created attachment 270302 [details] [review] Check stricter for presence of xtrans (with option to disable) Not having xtrans available during build results in gnome-sessions listening on remote TCP sockets (although not acting upon them). We strongly encourage the use of xtrans to minimize this surface. If using xtrans is not an option, it can be overruled by --without-xtrans.
Review of attachment 270302 [details] [review]: ::: configure.ac @@ +278,3 @@ +AS_IF([test "$with_xtrans" != "no"], + [PKG_CHECK_MODULES(XTRANS, xtrans, have_xtrans=yes, have_xtrans=no)]) +if test "$have_xtrans" = yes; then Use AS_IF() here too please for consistency. @@ +282,3 @@ +fi +AC_SUBST(HAVE_XTRANS) +AC_SUBST(XTRANS_CFLASG) Typo. And in any case PKG_CHECK_MODULES already does AC_SUBST().
Created attachment 270321 [details] [review] Check stricter for presence of xtrans (with option to disable) Not having xtrans available during build results in gnome-sessions listening on remote TCP sockets (although not acting upon them). We strongly encourage the use of xtrans to minimize this surface. If using xtrans is not an option, it can be overruled by --without-xtrans.
(In reply to comment #7) > Review of attachment 270302 [details] [review]: > > ::: configure.ac > @@ +278,3 @@ > +AS_IF([test "$with_xtrans" != "no"], > + [PKG_CHECK_MODULES(XTRANS, xtrans, have_xtrans=yes, have_xtrans=no)]) > +if test "$have_xtrans" = yes; then > > Use AS_IF() here too please for consistency. Thanks for the review.. looking at it, actually, the 2nd if makes no sense.. I squashed it into the 'true' condition of PKG_CHECK_MODULES > > @@ +282,3 @@ > +fi > +AC_SUBST(HAVE_XTRANS) > +AC_SUBST(XTRANS_CFLASG) > > Typo. And in any case PKG_CHECK_MODULES already does AC_SUBST(). removed the one with type which would be done by PKG_CHECK.. only left AC_SUBST_HAVE_XTRANS)
Review of attachment 270321 [details] [review]: Looks good to me.
Attachment 270321 [details] pushed as aa4c9d1 - Check stricter for presence of xtrans (with option to disable)
Thanks for the guidance and quick review...