Bug 1268900 - lxdm: X server started without -auth, exposing it to connections form any local user
lxdm: X server started without -auth, exposing it to connections form any loc...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lxdm (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Mamoru TASAKA
Fedora Extras Quality Assurance
: Reopened, Security
Depends On: 1283581
Blocks: CVE-2015-8308
  Show dependency treegraph
 
Reported: 2015-10-05 11:07 EDT by Tomas Hoger
Modified: 2015-11-23 07:23 EST (History)
9 users (show)

See Also:
Fixed In Version: lxdm-0.4.1-10.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-23 07:23:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch re-diffed for 0.4.1 (1.90 KB, patch)
2015-10-08 07:39 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2015-10-05 11:07:11 EDT
Description of problem:

X server in F22 allows X clients to connect even when they have no valid MIT-MAGIC authentication cookie.  Connections are accepted from different users (i.e. are not related to 'xhost +si:localuser:`id -un`').  I could reproduce this with both X session started from *dm (lxdm in my case) as well as X server started manually from the text console.  Besides Xorg, I quickly tested with Xephyr and Xnest - they also seem affected in the same way.

Version-Release number of selected component (if applicable):

xorg-x11-server-Xorg-1.17.2-2.fc22.x86_64

Steps to Reproduce:
1. User1 opens X session - via DM or startx.
2. User2 connects on other text virtual terminal or via ssh.
3. User2 sets DISPLAY to :0 and can connect to User1's X session - start new X apps or use xwd to steal info (it seems session has to be active / displayed for at least xwd -root to work).

Actual results:

User2 is allowed to connect to User1's X session.

Expected results:

xterm: Xt error: Can't open display: :0
Comment 1 Tomas Hoger 2015-10-06 06:33:17 EDT
I did some more testing, and I could not reproduce with a defaultish (I changed /etc/gdm/custom.conf to WaylandEnable=false) F22 installation.  I could not reproduce with GNOME sessions (shell or classic) started from gdm.  I could reproduce with Xephyr or Xnest started within GNOME session.  I could also reproducer after replacing gdm with lxdm with the default GNOME shell session, and also start applications on the lxdm's pre-login screen.
Comment 2 Tomas Hoger 2015-10-06 09:18:07 EDT
Ok, I think I got confused by lxdm doing the wrong thing (starting X server without -auth), plus my pebkac mistake when testing (sometimes starting X server directly and sometimes using startx).

I'm re-assigning to lxdm to have it fixed to properly start X server with -auth.
Comment 3 Ray Strode [halfline] 2015-10-06 17:19:45 EDT
right, X without -auth implies anyone local can connect. if lxdm is doing that, it needs to be fixed.
Comment 4 Tomas Hoger 2015-10-06 17:32:34 EDT
(In reply to Ray Strode [halfline] from comment #3)
> if lxdm is doing that, it needs to be fixed.

I already mailed upstream author dgod.osa@gmail about this.
Comment 5 Tomas Hoger 2015-10-07 09:58:05 EDT
I got no response from upstream yet, but I noticed this commit that was added to upstream git few hours ago:

http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3
Comment 6 Tomas Hoger 2015-10-08 02:55:34 EDT
I actually got a "Should be fixed in git now." response from upstream, but it ended up in my spam folder.
Comment 7 Mamoru TASAKA 2015-10-08 05:47:04 EDT
F-22 lxdm is so old (published more than 3 years ago) and extra check is needed (and I don't use F-22 any longer)
Comment 8 Tomas Hoger 2015-10-08 07:39 EDT
Created attachment 1080978 [details]
Patch re-diffed for 0.4.1

(In reply to Mamoru TASAKA from comment #7)
> F-22 lxdm is so old (published more than 3 years ago) and extra check is
> needed (and I don't use F-22 any longer)

Upstream patch applies rather cleanly to 0.4.1 in F22.  Attaching re-diffed patched.

Scratch build for F22 is here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=11372079

With the patch, X is now started with -auth argument as expected.
Comment 9 Tomas Hoger 2015-10-08 07:48:01 EDT
Making this bug public.
Comment 10 Tomas Hoger 2015-10-08 07:51:18 EDT
Mamoru, if you're going to prepare updates for F21 and F22, consider also applying the fix for bug 846086.  Upstream patch for that issue is available.
Comment 11 Fedora Update System 2015-10-08 10:33:04 EDT
lxdm-0.4.1-10.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55
Comment 12 Fedora Update System 2015-10-08 10:33:55 EDT
lxdm-0.4.1-10.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939
Comment 13 Mamoru TASAKA 2015-10-08 10:37:27 EDT
F-23 is via
https://bodhi.fedoraproject.org/updates/FEDORA-2015-44deee4d7a
Comment 14 Tomas Hoger 2015-10-09 03:57:11 EDT
The git version with the above fix was tagged and released as lxdm 0.5.2.
Comment 15 Fedora Update System 2015-10-09 08:51:34 EDT
lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lxdm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939
Comment 16 Fedora Update System 2015-10-09 09:54:48 EDT
lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lxdm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55
Comment 17 Fedora Update System 2015-10-09 09:56:13 EDT
lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lxdm'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-44deee4d7a
Comment 18 Fedora Update System 2015-10-17 18:55:18 EDT
lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-10-17 19:20:24 EDT
lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-10-31 22:44:54 EDT
lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Mamoru TASAKA 2015-11-20 04:00:49 EST
Now NFS user is seeing bug 1283581 . I am currently thinking of reverting this. Also (perhaps) the same bug report on the upstream:
http://sourceforge.net/p/lxde/bugs/786/
Comment 22 Tomas Hoger 2015-11-20 04:19:09 EST
(In reply to Mamoru TASAKA from comment #21)
> Now NFS user is seeing bug 1283581 . I am currently thinking of reverting
> this.

I do not think this should be made insecure by default to address some non-standard use case, where the actual root cause is not yet understood.
Comment 23 Tomas Hoger 2015-11-23 07:23:11 EST
I'm re-closing this, as bug 1283581 is apparently getting fixed without needing to revert the fix for this issue.

Note You need to log in before you can comment on or make changes to this bug.