Ubuntu
xserver-xgl package

xserver or gdm sets xhost + ; no security

Bug #73110 reported by Tinus
256
Affects Status Importance Assigned to Milestone
xserver-xgl (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: xserver-xgl

I have installed Xgl and start it automatically using gdm. My custom.conf has the following added to it:

0=Xgl
[server-Xgl]
name=Xgl server
command=/usr/bin/Xgl :0 -fullscreen -ac -accel glx:pbuffer -accel xv:fbo
flexible=true

I checked, the xserver-xgl package is from ubuntu, not from the window manager etc., no packages involved in this problem (as far as I know of course).

Now when I press ctrl-alt-backspace to get a new session, I noticed that somehow nautilus pops up on the new server (over the login screen).

I then logged on to the console with my normal user account, and was able to run an xterm with no problems (over the gdm login screen). This means I would have been able to capture anything displayed or typed to the login screen.

When I logged on, I checked using the 'xhost' program, this shows me the security is off:

'access control disabled, clients can connect from any host'

Luckily (or so netstat -a tells me) the server has the 'don't do tcp' option on, or this would be a major problem. Still an important local vulnerability.

Revision history for this message
Tinus (ajxsx5a02) wrote :

Oh, my versions are:

xserver-xgl-7.0.0.git.20060725-0ubuntu2
gdm-2.16.1-0ubuntu4
xserver-xorg-core-1:1.1.1-0ubuntu12

I am on an amd64 arch system, new edgy install.

Revision history for this message
Stijn Hoop (fritti) wrote :

I can repeat this bug as well.

sudo apt-get install xserver-xgl
sudo vi /etc/gdm/gdm.conf-custom

and add the lines as described.

sudo /etc/init.d/gdm restart

ALT+F2

env DISPLAY=:0.0 xterm

pops up an xterm over the login screen. Xhost reports 'no access control'. This doesn't work with the default X server though, not sure why the behaviour is different.

Changed in xserver-xgl:
status: Unconfirmed → Confirmed
Revision history for this message
Tinus (ajxsx5a02) wrote :

Some research shows that the -ac switch to the server causes this behaviour. I got the configuration from the beryl wiki:

http://wiki.beryl-project.org/wiki/Install/Ubuntu/Edgy/XGL#Adding_an_Xgl_login_session

Leaving out this switch fixes the problem and appears to cause no other. Since this page is a wiki, I removed the switch from the examples on this page, and added a warning about what it does.

Still I am unimpressed with Ubuntu's response or actually lack of response to this report. Even though it could be classified as 'User error', if that was the reason for the lack of response, adding a comment to say so would hardly seem like a lot of effort. After all, I did take the effort to create a bugreport that contains enough information to resolve it.

Therefore I'm leaving the report open, wondering if someone will notice and close it.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for tracking this down! Since xserver-xgl is in "universe", and a non-default, I think it gets less attention. However, people are reading the bugs. :)

Changed in xserver-xgl:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.