Ticket #1854 (closed enhancement: fixed)

Opened 10 years ago

Last modified 10 years ago

Xserver insecurely listens for TCP

Reported by: RuiSeabra Owned by: julian_chu
Priority: normal Milestone:
Component: Distro Version:
Severity: normal Keywords: Xserver security haspatch HasPatch
Cc: julian_chu@… Blocked By:
Blocking: Estimated Completion (week):
HasPatchForReview: PatchReviewResult:
Reproducible: always

Description

Xserver listens for TCP on port 6000 by default. If you really want to have that, you can change from a secure default into a less secure default.

However, the default should not be to listen to anything at all since that is an attack vector which can be used to crack an OpenMoko?.

The solution is simple, just add -nolisten tcp to the Xserver's flags

Attachments

secure_etc_X11_Xserver.patch (275 bytes) - added by RuiSeabra 10 years ago.
Make X stop listening to TCP

Change History

Changed 10 years ago by RuiSeabra

Make X stop listening to TCP

comment:1 Changed 10 years ago by RuiSeabra

Since it no longer polls on the TCP port, it also reduces a tiny amount of battery usage.

Every watt counts!

comment:2 Changed 10 years ago by andy

I hope your proposed security-related improvements get taken seriously. Not running everything as root will be nice as well.

comment:3 Changed 10 years ago by zecke

  • Keywords HasPatch added
  • Cc julian_chu@… added

Julian please take a look.

comment:4 Changed 10 years ago by zecke

  • Owner changed from openmoko-kernel to julian_chu
  • Component changed from System Software to Distro

comment:5 Changed 10 years ago by john_lee

  • Status changed from new to in_testing

applied as 89f835b0bba6b6e5cd1d2f3eeeea394549130af3

comment:6 Changed 10 years ago by zecke

  • Resolution set to fixed

QA is not going over these kind of bugs. netstat -ln looks sane for dropbear. thanks john and julian!

comment:7 Changed 10 years ago by zecke

  • Status changed from in_testing to closed

Next attempt to close them with the batch modify. (status and resolution needs to be set)

Note: See TracTickets for help on using tickets.