Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
- X server is listening on TCP port 6000 by default, and should not be listening at all unless explicitly configured to do so
Version-Release number of selected component (if applicable):
- xorg-x11-server-Xorg-1.20.1-5.1.el7.x86_64
How reproducible:
- 100%
Steps to Reproduce:
1. Build a 7.6 system with the full graphical environment
2. set default boot to graphical.target
3. inspect listening ports
Actual results:
- Xorg listening on tcp 6000 by default
Expected results:
- Xorg should be compiled with nolisten tcp by default
Additional info:
------------------------------------------
Release: Red Hat Enterprise Linux Server release 7.6 (Maipo)
Kernel: 3.10.0-957.el7.x86_64
------------------------------------------
[root@localhost ~]# netstat -tunap | grep X
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3815/X
tcp6 0 0 :::6000 :::* LISTEN 3815/X
[root@localhost ~]# ps aux | grep X
root 3815 0.3 1.3 282188 24628 tty1 Ssl+ 17:37 0:00 /usr/bin/X :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/auth-for-gdm-nHWVoX/database -seat seat0 vt1
root 14191 0.0 0.0 112708 968 pts/0 R+ 17:40 0:00 grep --color=auto X
[root@localhost ~]# rpm -qa | grep Xorg
xorg-x11-server-Xorg-1.20.1-5.1.el7.x86_64
This is not a regression, RHEL7's X server has always listened to TCP by default. I wouldn't necessarily call that "intentional" - more just what upstream happened to have as the default when 7.0 was released - but since it's what we started RHEL7 with it's what we have to keep doing. Upstream changed the default in xserver 1.17, at which point (RHEL 7.2 rebase) we explicitly started configuring the X server the other way.
RHEL8 won't have this issue.
Comment 4Ray Strode [halfline]
2018-11-08 17:04:24 UTC
X has always listened to TCP by default, but GDM has always overriden it to not do that.
in 7.6 GDM no longer does that overriding because of this code:
if $PKG_CONFIG --atleast-version=1.17 xorg-server; then•
AC_DEFINE([HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY], [], [XServer disables tcp access by default])•
fi•
server is great than 1.17 now, but it it doesn't default to local only. so the the define is incorrect.
we should patch it to force local only false, so gdm can disable it explicitly.
The problem is not gdm listening on port 6000 but swift being configured to use port 6000 instead of another one and the solution is the following [1]:
So in your /home/stack/undercloud.conf you want to have something like:
hieradata_override = /home/stack/hiera_override.yaml
And then in /home/stack/hiera_override.yaml you can add:
swift::storage::all::object_port: "6200"
(I tested this on OSP10 and it works okay)
https://bugzilla.redhat.com/show_bug.cgi?id=1649511#c5
Comment 7Ray Strode [halfline]
2018-12-03 18:18:35 UTC
thanks for the insight.
two separate issues that need to be addressed I guess.
Comment 8Ray Strode [halfline]
2018-12-03 19:05:09 UTC
Created attachment 1511066[details]
configure: don't assume x server defaults to local only
it doesn't in rhel
Comment 9Ray Strode [halfline]
2018-12-04 14:57:46 UTC
*** Bug 1656016 has been marked as a duplicate of this bug. ***
Any simple fix to make X stop from listening on 6000/tcp? When I set the setting to stop listening on TCP in /etc/gdm/custom.conf, it still listens on 0.0.0.0:6000 and ::1:6000, although a non-local nmap would tell me the port is filtered/closed. Bur `netstat -tlnp` doesn’t lie.
Comment 14Ray Strode [halfline]
2018-12-11 21:39:53 UTC
The only supported workaround at this time is to use firewall rules. A fix for this issue is currently being evaluated.
(In reply to Patrik Wenger from comment #13)
> Any simple fix to make X stop from listening on 6000/tcp? When I set the
> setting to stop listening on TCP in /etc/gdm/custom.conf, it still listens
> on 0.0.0.0:6000 and ::1:6000, although a non-local nmap would tell me the
> port is filtered/closed. Bur `netstat -tlnp` doesn’t lie.
Unfortunately the best bet currently is to make firewall rules to just block the port outright. By default, the firewall doesn't open ports on 6xxx, but you can set explicit block rules if you're not comfortable with the default.
I found a solution its not pretty but it works replace the /usr/bin/X that is a link to /usr/bin/Xorg with a shell script of the following:
#!/bin/bash
exec /usr/bin/Xorg "$@" -nolisten tcp
exit 0
Also make sure your have your permissions correct ls -aZl /usr/bin/X afterwards
Comment 21Michael Boisvert
2019-05-07 19:16:52 UTC
I noticed that the workstations with 6000 and 60001 open had DisallowTCP set to false in my custom gdm file. I got the idea to remove this line from:
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/x11/open_x11.md
vi /etc/gdm/custom.conf
Under the [security] area, remove: DisallowTCP=false
logout/reboot
nmap -p 6000 --script=x11-access <hostname>
***
PORT STATE SERVICE
6000/tcp filtered X11
***
A firewall rule might be a better solution, but this seems to appease ACAS.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2044