Description of problem: Xorg X server as shipped with Red Hat Enterprise Linux 5 is no longer built with PAM support. Traditionally, X server shipped in Red Hat Enterprise Linux (XFree86 in el2.1 and el3, Xorg in el4) was built with PAM support to restrict ability to run X server to only console users, not allowing X server to be started by remotely-connected users. This seems to be a regression introduced during the modularization / split of the xorg-x11 package. It was previously reported for Fedora (bug #212162) with further details and some discussion on the changes needed to address this. Version-Release number of selected component (if applicable): xorg-x11-server-1.1.1-48.52.el5 Steps to Reproduce: See bug #212162, or ssh to some machine and try to run Xorg. On el5, X server is started, on el4 and earlier, following error is printed: PAM authentication failed, cannot start Xserver Perhaps you do not have console ownership? Additional info: It seems that not many other vendors restrict X server to only console users. Apart from RHEL/Fedora, only Mandriva and rPath seem to do so among larger distributions. There does not seem to be any restriction used by Debian/Ubuntu, Gentoo or SuSE.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
I will second this request. In the default config, it seems that a remote user could start up an xserver, and then bring up a fake terminal, or login screen to do with as they wish. Since the local terminal automatically jumps to the the new tty, a local user coming upon the system may not realize what's going on. Please correct me if this isn't as big a security concern as I imagine (I haven't done proof of concept), but any admin who switched from an initdefault if 5 to 3 has this configuration to worry about. I checked into debian, and they have their own wrapper for X (Xwrapper.config and xserver-xwrapper.c), that allows configuration for rootonly, console, or anybody.
2281401 build (dist-5E-qu-candidate, /cvs/dist:rpms/xorg-x11-server/RHEL-5:xorg-x11-server-1_1_1-48_74_el5) completed successfully MODIFIED
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0259.html