Opened 14 years ago

Closed 10 years ago

Last modified 8 years ago

#2519 closed task (overcomebyevents)

Xorg-server optional security concern

Reported by: DJ Lucas Owned by: blfs-book@…
Priority: normal Milestone:
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

echo -e '#!/bin/sh\nexec /usr/bin/X -nolisten tcp' /etc/X11/xinit/xserverrc && chmod 755 /etc/X11/xinit/xserverrc

See ticket #2391 Comment 7 for more info.

echo -e '#!/bin/sh\nexec /usr/bin/X -nolisten tcp' > /etc/X11/xinit/xserverrc && chmod 755 /etc/X11/xinit/xserverrc

Change History (8)

comment:1 by alexander@…, 14 years ago

Suggested text for the book:

By default, the X server (started with the startx command) listens on a unix-domain socket for local connections and also on TCP port 6000 for remote connections. Unauthenticated remote TCP connections are rejected by default, but it is more secure to disable the TCP socket completely, just in case if a remotely-exploitable bug is found in the future in the code that checks the authentication cookie. If you wish to do so, create the /etc/X11/xinit/xserverrc file that is read by the xinit program, and thus indirectly used by startx:

cat >/etc/X11/xinit/xserverrc <<"EOF"
#!/bin/sh
exec /usr/bin/X -nolisten tcp
EOF
chmod 755 /etc/X11/xinit/xserverrc

You can also use the /etc/X11/xinit/xserverrc file to add other default arguments to the X server command line.

FIXME: explain how to pass the "-nolisten tcp" arguments with gdm, kdm and xdm.

comment:2 by Randy McMurchy, 14 years ago

Milestone: future6.4

comment:3 by Randy McMurchy, 13 years ago

Milestone: 6.46.5

Modified milestone from 6.4 to 6.5

comment:4 by (none), 12 years ago

Milestone: 6.5

Milestone 6.5 deleted

comment:5 by Randy McMurchy, 12 years ago

Milestone: 6.7

Updated milestone to 6.7

comment:6 by bdubbs@…, 10 years ago

Milestone: 6.7current

comment:7 by Armin K, 10 years ago

Resolution: overcomebyevents
Status: newclosed

xorg-server doesn't listen on tcp by default anymore.

comment:8 by bdubbs@…, 8 years ago

Milestone: current

Milestone current deleted

Note: See TracTickets for help on using tickets.