Bug 500704 - xdm creates unsecured session
xdm creates unsecured session
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-xdm (Show other bugs)
10
All Linux
low Severity high
: ---
: ---
Assigned To: Matěj Cepl
Fedora Extras Quality Assurance
: EasyFix
: 491485 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-13 14:45 EDT by Krzysztof Halasa
Modified: 2009-06-02 10:22 EDT (History)
6 users (show)

See Also:
Fixed In Version: 1.1.6-8.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-02 09:32:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Krzysztof Halasa 2009-05-13 14:45:43 EDT
Description of problem:
Recent xdm (Fedora 10 update) changed "auth" dir (where auth files shared between xdm and Xserver are stored) from /etc/X11/xdm/authdir to /var/lib/xdm. Unfortunately the package doesn't create the latter and this ends in an unsecure X11 sessions. Creating /var/lib/xdm manually fixes it.

Version-Release number of selected component (if applicable):
1.1.6-7.fc10

How reproducible:
Just install the package and run xdm with local Xserver

Steps to Reproduce:
1. install xdm
2. run it
3. watch the login window
  
Actual results:
The login window says "this is an unsecure session" (unsecureGreeting).

Expected results:
It should say something like "this is machine_name" (greeting)

Additional info:
Perhaps the /etc/x11/xdm-config file could be marked as "config". Silently changing XDM config file while upgrading is a security issue as well.
I'm not marking this security as there is no sensitive info here, but I guess it's "severity = high" as it's plain security hole on multiuser systems (until fixed by mkdir /var/lib/xdm followed by restarting local Xserver(s)).
Comment 1 Matěj Cepl 2009-05-14 08:41:40 EDT
Could you please test my solution (I don't use xdm myself) with these scratch builds?

http://koji.fedoraproject.org/koji/taskinfo?taskID=1354556 (Rawhide, F-12)
http://koji.fedoraproject.org/koji/taskinfo?taskID=1354589 (F-11)
http://koji.fedoraproject.org/koji/taskinfo?taskID=1354575 (F-10)

Thank you
Comment 2 Krzysztof Halasa 2009-05-14 16:11:55 EDT
Sure.
I've installed xorg-x11-xdm-1.1.6-8.fc10.x86_64 and it fixed both problems.
Thanks a lot.
Comment 3 Fedora Update System 2009-05-14 19:51:01 EDT
xorg-x11-xdm-1.1.6-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xorg-x11-xdm-1.1.6-8.fc10
Comment 4 Matěj Cepl 2009-05-14 19:53:18 EDT
Thanks a lot for letting us know. Yenya, you are released from your promise.
Comment 5 Matěj Cepl 2009-05-14 19:53:55 EDT
But, give it points (plus or minus) to bodhi, please.
Comment 6 Fedora Update System 2009-05-15 19:26:38 EDT
xorg-x11-xdm-1.1.6-8.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xorg-x11-xdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-4985
Comment 7 Krzysztof Halasa 2009-05-18 07:34:36 EDT
Do I need to take an additional action WRT this bug? No?
Comment 8 Matěj Cepl 2009-05-18 08:52:15 EDT
*** Bug 491485 has been marked as a duplicate of this bug. ***
Comment 9 Matěj Cepl 2009-05-18 08:53:22 EDT
(In reply to comment #7)
> Do I need to take an additional action WRT this bug? No?  

No, you don't. Thank you very much.
Comment 10 Fedora Update System 2009-06-02 10:22:05 EDT
xorg-x11-xdm-1.1.6-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.