Bug 65

Summary: Missing /etc/X11/xdm/authdir - was 'ill inital xhost values'
Product: [Retired] Red Hat Linux Reporter: nils
Component: XFree86Assignee: David Lawrence <dkl>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 5.2CC: dkl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1998-11-16 13:48:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 110863    
Bug Blocks:    

Description nils 1998-11-14 05:47:23 UTC 
[Sorry to come with this again]

The now closed (DISCARDED) bug #8 happened on our systems
even within xdm. I digged a little bit and found out that
/etc/X11/xdm/authdir is missing. xdm tries to put its auth
files in /usr/X11R6/lib/X11/xdm/authdir which due to
symlinks resolves to /etc/X11/xdm/authdir. Someone should
include /etc/X11/xdm/authdir in the XFree86 package,
otherwise xdm will fall back to xhost authorization. Now we
have the -- still -- ill xhost values when starting without
xauth. The inital values should (at max) be 'LOCAL:' --
no 'thishost.domain.com' and 'localhost'. And the xhost
values (maybe except the LOCAL:) should be resettable by the
user, or am I talking nonsens here?

I think the lack of /etc/X11/xdm/authdir is due to us not
going through the 'official' redhat update procedure but
just installing the new rpms on the machines in our pool.
Maybe one should advise people to check for this directory
on their machines, because the lack of it causes IMO a
not negligible security breach. Don't forget to include
/etc/X11/xdm/authdir in the next release of XFree.

Best wishes,
Nils
Comment 1 Preston Brown 1998-11-16 13:48:59 UTC 
You are correct that /etc/X11/xdm/authdir is not owned by any
package.   However, further investigation shows that xdm actually
creates the authdir if it is not present when it is first run.
Therefore there is no need for it to be owned by the package.

When logging in with xdm, on a 5.2 system, this is the default value
that I get for xhost:

[pbrown@pip xdm]$ xhost
access control enabled, only authorized clients can connect

which is what I would expect.  Users other than myself cannot start X
programs.  For example, here is what happens if I try to start xclock
as root (instead of myself, pbrown):

[root@pip xdm]# xclock
Xlib: connection to ":0.0" refused by server
Xlib: Client is not authorized to connect to Server
Error: Can't open display: :0.0

If you get other values from xhost while you are using xdm, you have
changed something in your configuration from the default settings.