[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

urgent wdm security issue (woody & sid only)



(Sorry for the cross-posting; this is somewhat important)

Versions 1.20-11.2 and 1.20-12 of wdm contain a configuration error that
caused X session authentication data to be stored in a non-existant
directory.  In situations like this, the X server falls back to a
security mode which allows *all* users of the local system to access the
display.  That is to say, it was essentially running as though "xhost
localhost && xhost `hostname -f`" had been run.

People using sid should see 1.20-13 in the archives now.  If you are
using woody, you should install 1.20-13 from sid now.  It is available 
for i386 at:
http://http.us.debian.org/debian/pool/main/w/wdm/wdm_1.20-13_i386.deb

It has not yet been built for other architectures.

When you install the updated package, you will be asked if you want to
install a new version of /etc/X11/wdm/wdm-config.  If you install a new
version, then the authentication problem will be fixed.  If you do not
wish to install a new version of that file, then please edit it and
change the DisplayManager.authDir resource to /var/lib/wdm

Be sure that wdm gets restarted after you make the changes.  Once the
change is made, you can verify that it worked by running 'xhost'.  If it
outputs "access control enabled, only authorized clients can connect",
and nothing else, then you're all set.

Thanks to the several people who pointed this problem out to me in the
past couple of days.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpLhhP5ESCWq.pgp
Description: PGP signature


Reply to: