Description of problem: X server in F22 allows X clients to connect even when they have no valid MIT-MAGIC authentication cookie. Connections are accepted from different users (i.e. are not related to 'xhost +si:localuser:`id -un`'). I could reproduce this with both X session started from *dm (lxdm in my case) as well as X server started manually from the text console. Besides Xorg, I quickly tested with Xephyr and Xnest - they also seem affected in the same way. Version-Release number of selected component (if applicable): xorg-x11-server-Xorg-1.17.2-2.fc22.x86_64 Steps to Reproduce: 1. User1 opens X session - via DM or startx. 2. User2 connects on other text virtual terminal or via ssh. 3. User2 sets DISPLAY to :0 and can connect to User1's X session - start new X apps or use xwd to steal info (it seems session has to be active / displayed for at least xwd -root to work). Actual results: User2 is allowed to connect to User1's X session. Expected results: xterm: Xt error: Can't open display: :0
I did some more testing, and I could not reproduce with a defaultish (I changed /etc/gdm/custom.conf to WaylandEnable=false) F22 installation. I could not reproduce with GNOME sessions (shell or classic) started from gdm. I could reproduce with Xephyr or Xnest started within GNOME session. I could also reproducer after replacing gdm with lxdm with the default GNOME shell session, and also start applications on the lxdm's pre-login screen.
Ok, I think I got confused by lxdm doing the wrong thing (starting X server without -auth), plus my pebkac mistake when testing (sometimes starting X server directly and sometimes using startx). I'm re-assigning to lxdm to have it fixed to properly start X server with -auth.
right, X without -auth implies anyone local can connect. if lxdm is doing that, it needs to be fixed.
(In reply to Ray Strode [halfline] from comment #3) > if lxdm is doing that, it needs to be fixed. I already mailed upstream author dgod.osa@gmail about this.
I got no response from upstream yet, but I noticed this commit that was added to upstream git few hours ago: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3
I actually got a "Should be fixed in git now." response from upstream, but it ended up in my spam folder.
F-22 lxdm is so old (published more than 3 years ago) and extra check is needed (and I don't use F-22 any longer)
Created attachment 1080978 [details] Patch re-diffed for 0.4.1 (In reply to Mamoru TASAKA from comment #7) > F-22 lxdm is so old (published more than 3 years ago) and extra check is > needed (and I don't use F-22 any longer) Upstream patch applies rather cleanly to 0.4.1 in F22. Attaching re-diffed patched. Scratch build for F22 is here: http://koji.fedoraproject.org/koji/taskinfo?taskID=11372079 With the patch, X is now started with -auth argument as expected.
Making this bug public.
Mamoru, if you're going to prepare updates for F21 and F22, consider also applying the fix for bug 846086. Upstream patch for that issue is available.
lxdm-0.4.1-10.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55
lxdm-0.4.1-10.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939
F-23 is via https://bodhi.fedoraproject.org/updates/FEDORA-2015-44deee4d7a
The git version with the above fix was tagged and released as lxdm 0.5.2.
lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7766c0d939
lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-adbae85c55
lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-44deee4d7a
lxdm-0.4.1-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.4.1-10.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.5.1-7.D20151007gite8f38708.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Now NFS user is seeing bug 1283581 . I am currently thinking of reverting this. Also (perhaps) the same bug report on the upstream: http://sourceforge.net/p/lxde/bugs/786/
(In reply to Mamoru TASAKA from comment #21) > Now NFS user is seeing bug 1283581 . I am currently thinking of reverting > this. I do not think this should be made insecure by default to address some non-standard use case, where the actual root cause is not yet understood.
I'm re-closing this, as bug 1283581 is apparently getting fixed without needing to revert the fix for this issue.