Bug 592
| Summary: | standard startx script allows any user to capture X events (and keystroke) from other users' windows | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | borgia |
| Component: | XFree86 | Assignee: | Preston Brown <pbrown> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.2 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 1999-01-18 22:20:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You might also consider using the mkxauth package A patch to use xauth in startx will be posted to the errata site. However, 5.2 will not incorporate this patch into XFree in an security update, because many people are not familiar with xauth but only xhost (no matter how wrong this is) and there will be much complaining from them if we change this. 6.0 will make the change. |
Let's suppose I write a transparent X program (or go to rootshell and get it, it is already there) and that I run it on a workstation occupied by another user: the program sees everything he does under X and logs every keystroke on a file in my home dir. Things like ssh are pretty useless in this situation... the solution is to prevent other users from starting X apps on a server they didn't start and this can be done in two ways: 1) by using xdm, that by default has authentication enabled 2) by modifying startx this way: -cut-cut- --- startx Thu Nov 26 11:05:11 1998 +++ /usr/X11R6/bin/startx Thu Nov 26 10:55:37 1998 @@ -44,7 +44,7 @@ serverargs=$sysserverrc fi fi - +display=:0 whoseargs="client" while [ "x$1" != "x" ]; do case "$1" in @@ -58,10 +58,18 @@ clientargs="$clientargs $1" else serverargs="$serverargs $1" + case "$1" in + :[0-9]) display="$1" ;; + esac fi ;; esac shift done + +mcookie=`mcookie` +serverargs="$serverargs -auth $HOME/.Xauthority" +xauth add $display . $mcookie +xauth add `hostname -f`$display . $mcookie xinit $clientargs -- $serverargs -cut-cut- This problem was also present in RH5.0 and 5.1