Bug 1268900
| Summary: | lxdm: X server started without -auth, exposing it to connections form any local user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | lxdm | Assignee: | Mamoru TASAKA <mtasaka> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 23 | CC: | airlied, ajax, carnil, christoph.wickert, cperry, kem, mtasaka, rstrode, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | lxdm-0.4.1-10.fc22 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-23 12:23:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1283581 | ||||||
| Bug Blocks: | 1284460 | ||||||
| Attachments: |
|
||||||
|
Description
Tomas Hoger
2015-10-05 15:07:11 UTC
I did some more testing, and I could not reproduce with a defaultish (I changed /etc/gdm/custom.conf to WaylandEnable=false) F22 installation. I could not reproduce with GNOME sessions (shell or classic) started from gdm. I could reproduce with Xephyr or Xnest started within GNOME session. I could also reproducer after replacing gdm with lxdm with the default GNOME shell session, and also start applications on the lxdm's pre-login screen. Ok, I think I got confused by lxdm doing the wrong thing (starting X server without -auth), plus my pebkac mistake when testing (sometimes starting X server directly and sometimes using startx). I'm re-assigning to lxdm to have it fixed to properly start X server with -auth. right, X without -auth implies anyone local can connect. if lxdm is doing that, it needs to be fixed. (In reply to Ray Strode [halfline] from comment #3) > if lxdm is doing that, it needs to be fixed. I already mailed upstream author dgod.osa@gmail about this. I got no response from upstream yet, but I noticed this commit that was added to upstream git few hours ago: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3 I actually got a "Should be fixed in git now." response from upstream, but it ended up in my spam folder. F-22 lxdm is so old (published more than 3 years ago) and extra check is needed (and I don't use F-22 any longer) Created attachment 1080978 [details] Patch re-diffed for 0.4.1 (In reply to Mamoru TASAKA from comment #7) > F-22 lxdm is so old (published more than 3 years ago) and extra check is > needed (and I don't use F-22 any longer) Upstream patch applies rather cleanly to 0.4.1 in F22. Attaching re-diffed patched. Scratch build for F22 is here: http://koji.fedoraproject.org/koji/taskinfo?taskID=11372079 With the patch, X is now started with -auth argument as expected. Making this bug public. Mamoru, if you're going to prepare updates for F21 and F22, consider also applying the fix for bug 846086. Upstream patch for that issue is available. lxdm-0.4.1-10.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55 lxdm-0.4.1-10.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939 The git version with the above fix was tagged and released as lxdm 0.5.2. lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939 lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55 lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-44deee4d7a lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Now NFS user is seeing bug 1283581 . I am currently thinking of reverting this. Also (perhaps) the same bug report on the upstream: http://sourceforge.net/p/lxde/bugs/786/ (In reply to Mamoru TASAKA from comment #21) > Now NFS user is seeing bug 1283581 . I am currently thinking of reverting > this. I do not think this should be made insecure by default to address some non-standard use case, where the actual root cause is not yet understood. I'm re-closing this, as bug 1283581 is apparently getting fixed without needing to revert the fix for this issue. |