Bug#130706: marked as done (xdm: incorrect usage of PAM_RHOST)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 11 Mar 2008 14:18:12 +0100
with message-id <20080311131811.GA15165@patate.is-a-geek.org>
and subject line Re: Bug#130706: xdm: incorrect usage of PAM_RHOST
has caused the Debian Bug report #130706,
regarding xdm: incorrect usage of PAM_RHOST
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
130706: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=130706
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: xdm: incorrect usage of PAM_RHOST
• From: Alex King <alex@milton.king.net.nz>
• Date: Fri, 25 Jan 2002 10:56:48 +1300
• Message-id: <E16TrrU-0008Ok-00@milton.itspace>

Package: xdm
Version: 4.1.0-13
Severity: normal

What I think is wrong:
xdm sets PAM_RHOST to hostname:displaynumber

Pam documentation (The Linux-PAM Application Developers' Guide) states
that PAM_RHOST should be set to just the hostname.

This means that pam modules that check this info, eg, to do host based
access control, won't work.  Eg, if pam_access is used to deny access
from certain remote hosts, xdm will introduce a security hole in the
system.  I realise that host based access control can be done in
/etc/X11/xdm/Xaccess, but pam configuration is more flexable, and some
administrators may rely on pam and not know about the hole in xdm.


-- System Information
Debian Release: 3.0
Kernel Version: Linux milton 2.4.17-milton #1 Sun Jan 13 18:09:11 NZDT 2002 i686 unknown

Versions of the packages xdm depends on:
ii  cpp            2.95.4-9       The GNU C preprocessor.
ii  debconf        1.0.22         Debian configuration management system
ii  libc6          2.2.4-7        GNU C Library: Shared libraries and Timezone
ii  libpam0g       0.72-34        Pluggable Authentication Modules library
ii  libxaw7        4.1.0-13       X Athena widget set library
ii  xbase-clients  4.1.0-13       miscellaneous X clients
ii  xlibs          4.1.0-13       X Window System client libraries

--- Begin /etc/X11/xdm/Xaccess (modified conffile)
riccarton.itspace
milton.itspace

--- End /etc/X11/xdm/Xaccess

--- Begin /etc/X11/xdm/Xservers (modified conffile)

--- End /etc/X11/xdm/Xservers

--- Begin /etc/X11/xdm/xdm-config (modified conffile)
! $Xorg: xdm-conf.cpp,v 1.3 2000/08/17 19:54:17 cpqbld Exp $
!
!
!
!
! $XFree86: xc/programs/xdm/config/xdm-conf.cpp,v 1.6 2000/01/31 19:33:43 dawes Exp $
!
DisplayManager.errorLogFile:	/var/log/xdm.log
DisplayManager.pidFile:		/var/run/xdm.pid
DisplayManager.keyFile:		/usr/X11R6/lib/X11/xdm/xdm-keys
DisplayManager.servers:		/usr/X11R6/lib/X11/xdm/Xservers
DisplayManager.accessFile:	/usr/X11R6/lib/X11/xdm/Xaccess
DisplayManager.authDir:		/var/lib/xdm
DisplayManager.willing:		su nobody -c /usr/X11R6/lib/X11/xdm/Xwilling
! All displays should use authorization.
! X terminals may not be configured that way, so they will require
! individualized resource settings.
DisplayManager*authorize:	true
! Scripts to start the server, start the user session, and reset the server
DisplayManager*setup:		/usr/X11R6/lib/X11/xdm/Xsetup
DisplayManager*startup:		/usr/X11R6/lib/X11/xdm/Xstartup
DisplayManager*reset:		/usr/X11R6/lib/X11/xdm/Xreset
DisplayManager*resources:	/usr/X11R6/lib/X11/xdm/Xresources
DisplayManager*session:		/usr/X11R6/lib/X11/xdm/Xsession
!
DisplayManager*userPath:	/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
DisplayManager*systemPath:	/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
DisplayManager*loginmoveInterval:	10
! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
! DisplayManager.requestPort:	0

--- End /etc/X11/xdm/xdm-config

--- End Message ---

--- Begin Message ---

• To: Bastian Kleineidam <calvin@debian.org>
• Cc: 130706-done@bugs.debian.org
• Subject: Re: Bug#130706: xdm: incorrect usage of PAM_RHOST
• From: Julien Cristau <jcristau@debian.org>
• Date: Tue, 11 Mar 2008 14:18:12 +0100
• Message-id: <20080311131811.GA15165@patate.is-a-geek.org>
• In-reply-to: <200803111353.40750.calvin@debian.org>
• References: <20050824173520.GF16349@treasure> <[🔎] 20080308064843.GA19030@patate.is-a-geek.org> <200803111353.40750.calvin@debian.org>

notfound 130706 1:1.1.4-1
fixed 130706 1:1.1.4-1
kthxbye

On Tue, Mar 11, 2008 at 13:53:40 +0100, Bastian Kleineidam wrote:

> Am Samstag, 8. März 2008 07:49:15 schrieben Sie:
> > In the latest version, xdm uses the display name, replaces the last
> > colon with '\0', and passes that value as PAM_RHOST, if the display name
> > doesn't start with a colon.  That looks correct to me.
> > If the display name starts with a colon (i.e. the X server is local),
> > then the display name is used to set PAM_TTY.
> >
> > Is there still a problem with this, or can this bug be closed?
> The behaviour above looks ok to me, so I think the bug can be closed.
> 
Thanks for following up. Marking the bug fixed in xdm version 1:1.1.4-1
(it was fixed upstream in 1.1.1).

Cheers,
Julien

--- End Message ---