Bug#601878: marked as done (xserver-xorg-core: no access control by default)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 31 Oct 2010 14:20:07 +0100
with message-id <20101031132007.GE2577@debian.org>
and subject line Re: Bug#601878: xserver-xorg-core: no access control by default
has caused the Debian Bug report #601878,
regarding xserver-xorg-core: no access control by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
601878: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601878
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xserver-xorg-core: no access control by default
• From: Josselin Mouette <joss@debian.org>
• Date: Sat, 30 Oct 2010 16:43:15 +0200
• Message-id: <[🔎] 20101030144315.GA14218@saya.malsain.org>

Package: xserver-xorg-core
Version: 2:1.7.7-7
Severity: important

As discussed with KiBi, there is a fairly important security issue with 
the X server in squeeze.

Start a X or Xephyr server, with no -auth argument. It will accept all 
clients without a question. With -auth blahblah, as gdm does, it will, 
as expected, accept only authenticated connections.

The version in lenny behaves as expected and just refuses all 
connections unless passed -ac.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'  “If you behave this way because you are blackmailed by someone,
  `-    […] I will see what I can do for you.”  -- Jörg Schilling

--- End Message ---

--- Begin Message ---

• To: Josselin Mouette <joss@debian.org>, 601878-done@bugs.debian.org
• Subject: Re: Bug#601878: xserver-xorg-core: no access control by default
• From: Cyril Brulebois <kibi@debian.org>
• Date: Sun, 31 Oct 2010 14:20:07 +0100
• Message-id: <20101031132007.GE2577@debian.org>
• In-reply-to: <[🔎] 20101030144315.GA14218@saya.malsain.org>
• References: <[🔎] 20101030144315.GA14218@saya.malsain.org>

Hi,

Josselin Mouette <joss@debian.org> (30/10/2010):
> As discussed with KiBi, there is a fairly important security issue
> with the X server in squeeze.

thanks for the reminder, yeah.

> Start a X or Xephyr server, with no -auth argument. It will accept
> all clients without a question. With -auth blahblah, as gdm does, it
> will, as expected, accept only authenticated connections.

that's the expe^Wdocumented behaviour:
 - no parameter = everyone from localhost is trusted.
 - with -auth /does/not/exist = same behaviour.
 - with -auth ~/.Xauthority (for example) = limits to those rules.
 - with -ac = disable ACL entirely, everyone is welcome, including
   from the network.

Quoting from Xserver(1) [from 1.9 but that didn't change from 1.7
IIRC]:
       Each time the server is about to accept the first  connection  after  a
       reset  (or  when  the server is starting), it reads this file.  If this
       file contains any authorization records, the local host is not automat‐
       ically allowed access to the server, and only clients which send one of
       the authorization records contained in the file in the connection setup
       information  will  be  allowed  access.   See the Xau manual page for a
       description of the binary format of this file.  See xauth(1) for  main‐
       tenance of this file, and distribution of its contents to remote hosts.

Closing as not a bug (even though anyone is welcome to talk with
upstream).

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature

--- End Message ---