urgent wdm security issue (woody sid only)
(Sorry for the cross-posting; this is somewhat important) Versions 1.20-11.2 and 1.20-12 of wdm contain a configuration error that caused X session authentication data to be stored in a non-existant directory. In situations like this, the X server falls back to a security mode which allows *all* users of the local system to access the display. That is to say, it was essentially running as though xhost localhost xhost `hostname -f` had been run. People using sid should see 1.20-13 in the archives now. If you are using woody, you should install 1.20-13 from sid now. It is available for i386 at: http://http.us.debian.org/debian/pool/main/w/wdm/wdm_1.20-13_i386.deb It has not yet been built for other architectures. When you install the updated package, you will be asked if you want to install a new version of /etc/X11/wdm/wdm-config. If you install a new version, then the authentication problem will be fixed. If you do not wish to install a new version of that file, then please edit it and change the DisplayManager.authDir resource to /var/lib/wdm Be sure that wdm gets restarted after you make the changes. Once the change is made, you can verify that it worked by running 'xhost'. If it outputs access control enabled, only authorized clients can connect, and nothing else, then you're all set. Thanks to the several people who pointed this problem out to me in the past couple of days. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg04701/pgp0.pgp Description: PGP signature
urgent wdm security issue (woody sid only)
(Sorry for the cross-posting; this is somewhat important) Versions 1.20-11.2 and 1.20-12 of wdm contain a configuration error that caused X session authentication data to be stored in a non-existant directory. In situations like this, the X server falls back to a security mode which allows *all* users of the local system to access the display. That is to say, it was essentially running as though xhost localhost xhost `hostname -f` had been run. People using sid should see 1.20-13 in the archives now. If you are using woody, you should install 1.20-13 from sid now. It is available for i386 at: http://http.us.debian.org/debian/pool/main/w/wdm/wdm_1.20-13_i386.deb It has not yet been built for other architectures. When you install the updated package, you will be asked if you want to install a new version of /etc/X11/wdm/wdm-config. If you install a new version, then the authentication problem will be fixed. If you do not wish to install a new version of that file, then please edit it and change the DisplayManager.authDir resource to /var/lib/wdm Be sure that wdm gets restarted after you make the changes. Once the change is made, you can verify that it worked by running 'xhost'. If it outputs access control enabled, only authorized clients can connect, and nothing else, then you're all set. Thanks to the several people who pointed this problem out to me in the past couple of days. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp9ajtZw21Y9.pgp Description: PGP signature
RE: wdm security
startx -- -nolisten tcp Obviously this would do the trick, but see below as to why it is not a good option. only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. There is no way of ssh tunneling remote x sessions, when my remote terminal is a dummy tektronic x terminal. When in switched internal network (that is, there is a firewall between the switch and the internet), the need to tunnel is minimal - unless my switch and firewall are compromised - if not non-existent. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: wdm security
I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. No problem - I am currently behind an ipchains firewall, but it's about to change and I just wanted to know if something breaks if I ipchain/table the port off the network or if it's secure enough to remain - or even if it (the listener, not whole wdm) can be turned off without breaking anything. You take your time looking into it and I'll see what you come up with. Thanks. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: wdm security
On Fri, 25 May 2001, Steve wrote: Ed == Ed Street [EMAIL PROTECTED] writes: Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. When some X11 vulnerabilities were found in this area last year, the reporter suggested that desktop installs of X11 systems should enable this option as default. This would be nice to see added to debian, if only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. You don't read the debconf warnings much, do you? xserver-* has been warning potential installers that it doesn't listen on TCP for about a year now if memory serves... Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- You have paid nothing for the preceding, therefore it's worth every penny you've paid for it: if you did pay for it, might I remind you of the immortal words of Phineas Taylor Barnum regarding fools and money? Who is John Galt? [EMAIL PROTECTED], that's who! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: wdm security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 10:00 am, John Galt wrote: On Fri, 25 May 2001, Steve wrote: Ed == Ed Street [EMAIL PROTECTED] writes: Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. There is at least if you use a display manager: edit /etc/X11/*dm/Xservers and add -nolisten tcp to the end of the relevant line if it isn't there already. AFAIK you can do it for all servers in /etc/X11/xinit/xserverrc, but as has been said, it should be there by default. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DirFD834tscfhTwRAqIBAJ95qR6yZVH8B3gQSx3Dluog++egtQCeKw4e evZdmGxe4ByrgjMciF6750k= =Eij3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: wdm security
On Thu, 24 May 2001, Noah L. Meyerhans wrote: Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. I'm running an local-modified wdm-version here. (Mostly removed the choosers on the start as they confuse my DAUs and use an quite changed wmanager-chooser afterwards. I also switched of the code in xdm for opening this port in source. (There might also be a config-option for it, but I did not found it). As I overlooked the code very quickly, it seems olny nessecary for x-sessions on other computers, which is very rarly used nowadays and nowhere in the local environment here. Some config-option with debconf-question would be cool to have, when someone make the week last 20 days I might send a patch, but univerity uses all my time currently. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: wdm security
I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. No problem - I am currently behind an ipchains firewall, but it's about to change and I just wanted to know if something breaks if I ipchain/table the port off the network or if it's secure enough to remain - or even if it (the listener, not whole wdm) can be turned off without breaking anything. You take your time looking into it and I'll see what you come up with. Thanks. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
RE: wdm security
Ed == Ed Street [EMAIL PROTECTED] writes: Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. When some X11 vulnerabilities were found in this area last year, the reporter suggested that desktop installs of X11 systems should enable this option as default. This would be nice to see added to debian, if only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. Steve
RE: wdm security
On Fri, 25 May 2001, Steve wrote: Ed == Ed Street [EMAIL PROTECTED] writes: Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. When some X11 vulnerabilities were found in this area last year, the reporter suggested that desktop installs of X11 systems should enable this option as default. This would be nice to see added to debian, if only as part of the perennially-discussed task-harden. Doesn't even effect remote xsessions, as you should be using ssh to tunnel your sessions anyway. You don't read the debconf warnings much, do you? xserver-* has been warning potential installers that it doesn't listen on TCP for about a year now if memory serves... Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- You have paid nothing for the preceding, therefore it's worth every penny you've paid for it: if you did pay for it, might I remind you of the immortal words of Phineas Taylor Barnum regarding fools and money? Who is John Galt? [EMAIL PROTECTED], that's who!
Re: wdm security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 10:00 am, John Galt wrote: On Fri, 25 May 2001, Steve wrote: Ed == Ed Street [EMAIL PROTECTED] writes: Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. startx -- -nolisten tcp will have the effect. However, there doesn't seem to be a global setting that will enforce it system-wide, short of aliasing startx to that command. There is at least if you use a display manager: edit /etc/X11/*dm/Xservers and add -nolisten tcp to the end of the relevant line if it isn't there already. AFAIK you can do it for all servers in /etc/X11/xinit/xserverrc, but as has been said, it should be there by default. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DirFD834tscfhTwRAqIBAJ95qR6yZVH8B3gQSx3Dluog++egtQCeKw4e evZdmGxe4ByrgjMciF6750k= =Eij3 -END PGP SIGNATURE-
Re: wdm security
On Thu, 24 May 2001, Noah L. Meyerhans wrote: Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. I'm running an local-modified wdm-version here. (Mostly removed the choosers on the start as they confuse my DAUs and use an quite changed wmanager-chooser afterwards. I also switched of the code in xdm for opening this port in source. (There might also be a config-option for it, but I did not found it). As I overlooked the code very quickly, it seems olny nessecary for x-sessions on other computers, which is very rarly used nowadays and nowhere in the local environment here. Some config-option with debconf-question would be cool to have, when someone make the week last 20 days I might send a patch, but univerity uses all my time currently. Hochachtungsvoll, Bernhard R. Link
wdm security
I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm replacement.) According to lsof -i TCP, there are a number of processes listening on the port. When using X, I accept the obvious port 6000 being open for inbound connections and I believe XFree is secure enough with it (I only allow local logged-in user from localhost to contact to my X server) but what is this wdm doing listening on 32768? nmap says it's an unknown port and /etc/services does not recognise it. IANA seems to recognise the port as filenet-tms 32768/tcp Filenet TMS filenet-tms 32768/udp Filenet TMS but I have no idea what Filenet TMS is. I am a little at a loss with this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). For what it's worth, my wdm is Version: 1.20-5, from unstable. The newest seems to be 1.20-10, but I am in a habit of upgrading unstable stuff only if there is a problem/security issue. (Because things sometimes break, like alsa-utils was broken last week.) -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: wdm security
On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpw8KG2aN0EM.pgp Description: PGP signature
RE: wdm security
Hello, If memory serves me correctly there's a line in /etc/X11 that you can add/modify to tell it to NOT lissen. Ed -Original Message- From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 10:47 AM To: Debian Security List Subject: Re: wdm security On Thu, May 24, 2001 at 01:53:46PM +0300, Juha Jäykkä wrote: I am a little concerned about XFree86+wdm keeping a bunch of processes listening on port 32768. (wdm is the windowmaker xdm Hi. I am the wdm maintainer for Debian. I haven't been maintaining this package for too long, and I'm not sure why it listens on port 32768. I am going to look in to it, because it doesn't seem necessary to me. If I find that it is something that can safely be turned off (or if it's a bug) I will fix it for the next upload. Interestingly enough, a quick find/grep traversal of the wdm source indicates that the only code for setting up network listeners comes directly from the xdm sources without modification at all. That implies to me that the listener on port 32768 should be as safe as the standard xdm listener on port 6000. But I still don't see why it's there. this. Should I trash wdm or what? It's a little sad thing to do since it allows me to choose a window manager at login time, something xdm does not do (at least didn't last time I checked). I would not trash wdm just yet. Let me take a look. If you're concerned, you might want to firewall that port using ipchains or iptables. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html