Bug 1647621

This is not a regression, RHEL7's X server has always listened to TCP by default. I wouldn't necessarily call that "intentional" - more just what upstream happened to have as the default when 7.0 was released - but since it's what we started RHEL7 with it's what we have to keep doing. Upstream changed the default in xserver 1.17, at which point (RHEL 7.2 rebase) we explicitly started configuring the X server the other way.

RHEL8 won't have this issue.

X has always listened to TCP by default, but GDM has always overriden it to not do that.

in 7.6 GDM no longer does that overriding because of this code:

if $PKG_CONFIG --atleast-version=1.17 xorg-server; then•
   AC_DEFINE([HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY], [], [XServer disables tcp access by default])•
fi•

server is great than 1.17 now, but it it doesn't default to local only.  so the the define is incorrect.

we should patch it to force local only false, so gdm can disable it explicitly.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1649511

The problem is not gdm listening on port 6000 but swift being configured to use port 6000 instead of another one and the solution is the following [1]:   

So in your /home/stack/undercloud.conf you want to have something like:
hieradata_override = /home/stack/hiera_override.yaml

And then in /home/stack/hiera_override.yaml you can add:
swift::storage::all::object_port: "6200"

(I tested this on OSP10 and it works okay)

https://bugzilla.redhat.com/show_bug.cgi?id=1649511#c5

thanks for the insight.

two separate issues that need to be addressed I guess.

Created attachment 1511066 [details]
configure: don't assume x server defaults to local only

it doesn't in rhel

*** Bug 1656016 has been marked as a duplicate of this bug. ***

Any simple fix to make X stop from listening on 6000/tcp? When I set the setting to stop listening on TCP in /etc/gdm/custom.conf, it still listens on 0.0.0.0:6000 and ::1:6000, although a non-local nmap would tell me the port is filtered/closed. Bur `netstat -tlnp` doesn’t lie.

The only supported workaround at this time is to use firewall rules.  A fix for this issue is currently being evaluated.

(In reply to Patrik Wenger from comment #13)
> Any simple fix to make X stop from listening on 6000/tcp? When I set the
> setting to stop listening on TCP in /etc/gdm/custom.conf, it still listens
> on 0.0.0.0:6000 and ::1:6000, although a non-local nmap would tell me the
> port is filtered/closed. Bur `netstat -tlnp` doesn’t lie.

Unfortunately the best bet currently is to make firewall rules to just block the port outright. By default, the firewall doesn't open ports on 6xxx, but you can set explicit block rules if you're not comfortable with the default.

I found a solution its not pretty but it works replace the /usr/bin/X that is a link to /usr/bin/Xorg with a shell script of the following: 
#!/bin/bash
exec /usr/bin/Xorg "$@" -nolisten tcp
exit 0
Also make sure your have your permissions correct ls -aZl /usr/bin/X afterwards

Verified on gdm-3.28.2-15.el7.x86_64.

I noticed that the workstations with 6000 and 60001 open had DisallowTCP set to false in my custom gdm file. I got the idea to remove this line from:
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/x11/open_x11.md


vi /etc/gdm/custom.conf

Under the [security] area, remove: DisallowTCP=false

logout/reboot

nmap -p 6000 --script=x11-access <hostname>

***
PORT     STATE    SERVICE
6000/tcp filtered X11
***

A firewall rule might be a better solution, but this seems to appease ACAS.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2044