Red Hat Bugzilla – Bug 486120
xorg-x11-server: Xorg server built without PAM support
Last modified: 2010-03-30 04:34:06 EDT
Description of problem:
Xorg X server as shipped with Red Hat Enterprise Linux 5 is no longer built with PAM support.
Traditionally, X server shipped in Red Hat Enterprise Linux (XFree86 in el2.1 and el3, Xorg in el4) was built with PAM support to restrict ability to run X server to only console users, not allowing X server to be started by remotely-connected users.
This seems to be a regression introduced during the modularization / split of the xorg-x11 package. It was previously reported for Fedora (bug #212162) with further details and some discussion on the changes needed to address this.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
See bug #212162, or ssh to some machine and try to run Xorg. On el5, X server is started, on el4 and earlier, following error is printed:
PAM authentication failed, cannot start Xserver
Perhaps you do not have console ownership?
It seems that not many other vendors restrict X server to only console users. Apart from RHEL/Fedora, only Mandriva and rPath seem to do so among larger distributions. There does not seem to be any restriction used by Debian/Ubuntu, Gentoo or SuSE.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
I will second this request.
In the default config, it seems that a remote user could start up an xserver,
and then bring up a fake terminal, or login screen to do with as they wish.
Since the local terminal automatically jumps to the the new tty, a local user
coming upon the system may not realize what's going on.
Please correct me if this isn't as big a security concern as I imagine (I
haven't done proof of concept), but any admin who switched from an initdefault
if 5 to 3 has this configuration to worry about.
I checked into debian, and they have their own wrapper for X (Xwrapper.config
and xserver-xwrapper.c), that allows configuration for rootonly, console, or
2281401 build (dist-5E-qu-candidate, /cvs/dist:rpms/xorg-x11-server/RHEL-5:xorg-x11-server-1_1_1-48_74_el5) completed successfully
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.