[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kwm listening to port 1024
- To: linux-il(at-nospam)linux.org.il
- Subject: Re: kwm listening to port 1024
- From: Cedar Cox <cedarc(at-nospam)visionforisrael.com>
- Date: Sun, 12 Aug 2001 11:39:35 +0300 (IDT)
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
First, I remember something about changing this port number to a fixed
(privileged) port so you can firewall it. Anybody have a reference to
this?
Second, Slackware 8 (XFree86 4) has this at the bottom of xdm-config
! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort: 0
I'm not sure if this is new to X 4 or not. Someone try it and find out :)
-Cedar
------------------------------
>Date: Thu, 9 Aug 2001 00:33:06 +0300
From: Yedidya Bar-david <didi@tau.ac.il>
Subject: Re: kwm listening to port 1024
Hi
Out of interest, I looked a bit in the sources of kdm (which are
based on xdm, and are probably similar in behaviour).
After looking around a bit, I saw (what was expected) it listen(2)s
on an unbound socket and thus gets 1024 (the first free non-priviledged
port). It seemed this socket is somehow connnected to the chooser,
but I didn't want to look further.
Then I decided was the time for google.
I searched on google for 'xdm chooser socket', and the first answer
gave a full description of the subject. It seems to be a real
vulnerability.
I recommend to everyone interested to read it.
For reference, it's at
http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/xdm-socket/
Besides what this article says, I do not know how to make *dm not
listen. Note I do not allow (in Xaccess) anyone to use me as a
chooser (that is, no uncommented CHOOSER line), and it still
listens.
didi
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il