[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kwm listening to port 1024




First, I remember something about changing this port number to a fixed
(privileged) port so you can firewall it.  Anybody have a reference to
this?

Second, Slackware 8 (XFree86 4) has this at the bottom of xdm-config

! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort:   0

I'm not sure if this is new to X 4 or not.  Someone try it and find out :)

-Cedar


------------------------------
>Date: Thu, 9 Aug 2001 00:33:06 +0300
From: Yedidya Bar-david <didi@tau.ac.il>
Subject: Re: kwm listening to port 1024

Hi

Out of interest, I looked a bit in the sources of kdm (which are
based on xdm, and are probably similar in behaviour).

After looking around a bit, I saw (what was expected) it listen(2)s
on an unbound socket and thus gets 1024 (the first free non-priviledged
port). It seemed this socket is somehow connnected to the chooser,
but I didn't want to look further.

Then I decided was the time for google.
I searched on google for 'xdm chooser socket', and the first answer
gave a full description of the subject. It seems to be a real
vulnerability.
I recommend to everyone interested to read it.
For reference, it's at
http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/xdm-socket/

Besides what this article says, I do not know how to make *dm not
listen. Note I do not allow (in Xaccess) anyone to use me as a
chooser (that is, no uncommented CHOOSER line), and it still
listens.

        didi




=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il