Your message dated Sun, 31 Oct 2010 14:20:07 +0100 with message-id <20101031132007.GE2577@debian.org> and subject line Re: Bug#601878: xserver-xorg-core: no access control by default has caused the Debian Bug report #601878, regarding xserver-xorg-core: no access control by default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 601878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601878 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: xserver-xorg-core: no access control by default
- From: Josselin Mouette <joss@debian.org>
- Date: Sat, 30 Oct 2010 16:43:15 +0200
- Message-id: <[🔎] 20101030144315.GA14218@saya.malsain.org>
Package: xserver-xorg-core Version: 2:1.7.7-7 Severity: important As discussed with KiBi, there is a fairly important security issue with the X server in squeeze. Start a X or Xephyr server, with no -auth argument. It will accept all clients without a question. With -auth blahblah, as gdm does, it will, as expected, accept only authenticated connections. The version in lenny behaves as expected and just refuses all connections unless passed -ac. -- .''`. Josselin Mouette : :' : `. `' “If you behave this way because you are blackmailed by someone, `- […] I will see what I can do for you.” -- Jörg Schilling
--- End Message ---
--- Begin Message ---
- To: Josselin Mouette <joss@debian.org>, 601878-done@bugs.debian.org
- Subject: Re: Bug#601878: xserver-xorg-core: no access control by default
- From: Cyril Brulebois <kibi@debian.org>
- Date: Sun, 31 Oct 2010 14:20:07 +0100
- Message-id: <20101031132007.GE2577@debian.org>
- In-reply-to: <[🔎] 20101030144315.GA14218@saya.malsain.org>
- References: <[🔎] 20101030144315.GA14218@saya.malsain.org>
Hi, Josselin Mouette <joss@debian.org> (30/10/2010): > As discussed with KiBi, there is a fairly important security issue > with the X server in squeeze. thanks for the reminder, yeah. > Start a X or Xephyr server, with no -auth argument. It will accept > all clients without a question. With -auth blahblah, as gdm does, it > will, as expected, accept only authenticated connections. that's the expe^Wdocumented behaviour: - no parameter = everyone from localhost is trusted. - with -auth /does/not/exist = same behaviour. - with -auth ~/.Xauthority (for example) = limits to those rules. - with -ac = disable ACL entirely, everyone is welcome, including from the network. Quoting from Xserver(1) [from 1.9 but that didn't change from 1.7 IIRC]: Each time the server is about to accept the first connection after a reset (or when the server is starting), it reads this file. If this file contains any authorization records, the local host is not automat‐ ically allowed access to the server, and only clients which send one of the authorization records contained in the file in the connection setup information will be allowed access. See the Xau manual page for a description of the binary format of this file. See xauth(1) for main‐ tenance of this file, and distribution of its contents to remote hosts. Closing as not a bug (even though anyone is welcome to talk with upstream). Mraw, KiBi.Attachment: signature.asc
Description: Digital signature
--- End Message ---