[BLFS Trac] #2519: Xorg-server optional security concern

BLFS Trac trac at linuxfromscratch.org
Wed Apr 30 22:10:04 PDT 2008


#2519: Xorg-server optional security concern
-------------------------------------+--------------------------------------
 Reporter:  dj at linuxfromscratch.org  |        Owner:  blfs-book at linuxfromscratch.org
     Type:  task                     |       Status:  new                           
 Priority:  normal                   |    Milestone:  future                        
Component:  BOOK                     |      Version:  SVN                           
 Severity:  normal                   |   Resolution:                                
 Keywords:                           |  
-------------------------------------+--------------------------------------
Comment (by alexander at linuxfromscratch.org):

 Suggested text for the book:

 By default, the X server (started with the startx command) listens on a
 unix-domain socket for local connections and also on TCP port 6000 for
 remote connections. Unauthenticated remote TCP connections are rejected by
 default, but it is more secure to disable the TCP socket completely, just
 in case if a remotely-exploitable bug is found in the future in the code
 that checks the authentication cookie. If you wish to do so, create the
 /etc/X11/xinit/xserverrc file that is read by the xinit program, and thus
 indirectly used by startx:

 {{{
 cat >/etc/X11/xinit/xserverrc <<"EOF"
 #!/bin/sh
 exec /usr/bin/X -nolisten tcp
 EOF
 chmod 755 /etc/X11/xinit/xserverrc
 }}}

 You can also use the /etc/X11/xinit/xserverrc file to add other default
 arguments to the X server command line.

 FIXME: explain how to pass the "-nolisten tcp" arguments with gdm, kdm and
 xdm.

-- 
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/2519#comment:1>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch



More information about the blfs-book mailing list