Bug 486120 - xorg-x11-server: Xorg server built without PAM support
xorg-x11-server: Xorg server built without PAM support
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xorg-x11-server (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Adam Jackson
desktop-bugs@redhat.com
:
Depends On: 506535
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-18 10:22 EST by Tomas Hoger
Modified: 2010-03-30 04:34 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 582710 (view as bug list)
Environment:
Last Closed: 2010-03-30 04:34:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-02-18 10:22:41 EST
Description of problem:
Xorg X server as shipped with Red Hat Enterprise Linux 5 is no longer built with PAM support.

Traditionally, X server shipped in Red Hat Enterprise Linux (XFree86 in el2.1 and el3, Xorg in el4) was built with PAM support to restrict ability to run X server to only console users, not allowing X server to be started by remotely-connected users.

This seems to be a regression introduced during the modularization / split of the xorg-x11 package.  It was previously reported for Fedora (bug #212162) with further details and some discussion on the changes needed to address this.


Version-Release number of selected component (if applicable):
xorg-x11-server-1.1.1-48.52.el5


Steps to Reproduce:
See bug #212162, or ssh to some machine and try to run Xorg.  On el5, X server is started, on el4 and earlier, following error is printed:

  PAM authentication failed, cannot start Xserver
  Perhaps you do not have console ownership?
  

Additional info:
It seems that not many other vendors restrict X server to only console users.  Apart from RHEL/Fedora, only Mandriva and rPath seem to do so among larger distributions.  There does not seem to be any restriction used by Debian/Ubuntu, Gentoo or SuSE.
Comment 2 RHEL Product and Program Management 2009-03-11 14:59:02 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Jim 2009-03-11 15:37:19 EDT
I will second this request.

In the default config, it seems that a remote user could start up an xserver,
and then bring up a fake terminal, or login screen to do with as they wish.
Since the local terminal automatically jumps to the the new tty, a local user
coming upon the system may not realize what's going on.

Please correct me if this isn't as big a security concern as I imagine (I
haven't done proof of concept), but any admin who switched from an initdefault
if 5 to 3 has this configuration to worry about.


I checked into debian, and they have their own wrapper for X (Xwrapper.config
and xserver-xwrapper.c), that allows configuration for rootonly, console, or
anybody.
Comment 12 RHEL Product and Program Management 2010-02-23 17:45:24 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 Adam Jackson 2010-02-24 14:13:55 EST
2281401 build (dist-5E-qu-candidate, /cvs/dist:rpms/xorg-x11-server/RHEL-5:xorg-x11-server-1_1_1-48_74_el5) completed successfully

MODIFIED
Comment 20 errata-xmlrpc 2010-03-30 04:34:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0259.html

Note You need to log in before you can comment on or make changes to this bug.