Xorg-server optional security concern

[DJ Lucas]

echo -e '#!/bin/sh\nexec /usr/bin/X -nolisten tcp' /etc/X11/xinit/xserverrc && chmod 755 /etc/X11/xinit/xserverrc

See ticket #2391 Comment 7 for more info.

echo -e '#!/bin/sh\nexec /usr/bin/X -nolisten tcp' > /etc/X11/xinit/xserverrc && chmod 755 /etc/X11/xinit/xserverrc

[alexander@…]

Suggested text for the book:

By default, the X server (started with the startx command) listens on a unix-domain socket for local connections and also on TCP port 6000 for remote connections. Unauthenticated remote TCP connections are rejected by default, but it is more secure to disable the TCP socket completely, just in case if a remotely-exploitable bug is found in the future in the code that checks the authentication cookie. If you wish to do so, create the /etc/X11/xinit/xserverrc file that is read by the xinit program, and thus indirectly used by startx:

cat >/etc/X11/xinit/xserverrc <<"EOF"
#!/bin/sh
exec /usr/bin/X -nolisten tcp
EOF
chmod 755 /etc/X11/xinit/xserverrc

You can also use the /etc/X11/xinit/xserverrc file to add other default arguments to the X server command line.

FIXME: explain how to pass the "-nolisten tcp" arguments with gdm, kdm and xdm.

[Randy McMurchy]

Modified milestone from 6.4 to 6.5

[(none)]

Milestone 6.5 deleted

[Randy McMurchy]

Updated milestone to 6.7

[Armin K]

xorg-server doesn't listen on tcp by default anymore.

[bdubbs@…]

Milestone current deleted