[LWN Logo]
[Timeline]
Date:         Fri, 29 Sep 2000 18:27:07 -0500
Subject:      Mandrake 7.1 bypasses Xauthority X session security.
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

Summary:

There is a line in the /etc/X11/Xsession file that bypasses the Xauthority
mechanism allowing any local user to connect to another local user's X session.

Fix:

Remove the following line in the /etc/X11/Xsession file and restart X.

/usr/X11R6/bin/xhost + localhost


Full Text:


While trying to figure out why my ~/.Xclients file would not run, I ran across
this line in /etc/X11/Xsession:

# Mandrake-Security : if you remove this comment, remove the next line too.
/usr/X11R6/bin/xhost + localhost

This line disables the Xauthority mechanism on the localhost. Anyone logged
into the localhost can arbitrarily connect to an X server running on the
localhost. IMHO this is a big security hole. Anyone that can connect to your X
server can sniff your keystrokes, see your program output etc. This can easily
lead to local root compromise if the administrator logged in through X and
executed su - and entered the root password.

This may not be so bad for those that use a single machine for each user and
don't setup logins for other people on that single machine. But for those of us
that have large cycle-server machines that have multiple people allowed to
login and run X, this can be a very large hole.

I have not tested every installation route, only "development-expert" and
"server-custom" both with the high-security option turned on. The offending
line is present in the Xsession file on each installation. I suspect that this
line is present in all installation routes.

I also found that the ssh-agent handling is very poor. The Xsession file does
not allow the ~/.Xclients file ever to be run when run under [xkg]dm. When run
under [xkg]dm there is no ability to add new keys to the agent
automatically. Also, Xsession makes assumptions about the version and usage of
SSH that should not be present in the Xsession file, but should be put in the
the users ~/.Xclients file.

I have attached my revised Xsession and ~/.Xclients file. The ~/.Xclients file
should be revised to fit your installation's needs and put in /etc/skel for
future new users. All present users should have the revised ~./Xclients file
placed in their home directories. Ensure the permissions for the ~/.Xclients
file is 0700 and owned by the user. I have not thoroughly tested it in any
environment other than our own.

You only have to put in my revised Xsession/Xclients if you want the improved
ssh-agent handling, it is not necessary to close the security hole. All that is
necessary to close the hole is to remove the offending line.


I have not notified the vendor because the fix is very easy to make on your
own. I suspect that they will see this advisory and act accordingly.


Daniel P. Zepeda
Lead Administrator
University of Texas at San Antonio
Computer Science Information Security Laboratory
dpz@pobox.com
Find my public keys at:
http://www.cs.utsa.edu/~dzepeda/PublicKeys.html


Start----------------Xsession----------------------

#!/bin/bash -login
# Modification for Linux-Mandrake by Chmouel Boudjnah <chmouel@mandraksoft.com>
# 20000309, Francis Galiegue <fg@mandrakesoft.com>: imwheel -k added for wheel
# mice and braindead-not-supporting-wheel-yet toolkits (this includes Qt...)
#
# Modified to correctly execute a user's .Xclient, .xinitrc etc.
# also corrected usage of ssh-agent. Daniel P. Zepeda <dpz@pobox.com>

# redirect errors to a file in user's home directory if we can

for errfile in "$HOME/.xsession-errors" "${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$
USER"
do
    if ( cp /dev/null "$errfile" 2> /dev/null )
    then
        chmod 600 "$errfile"
        exec > "$errfile" 2>&1
        break
    fi
done

# Mandrake default background
xsetroot -solid \#356390

if [ -f /usr/bin/ssh-agent ]; then
    ssh_agent="/usr/bin/ssh-agent"
fi

# Set user's client if present - dpz
userclient=":"
if [ -f "$HOME/.xsession" ]; then
    userclient="$HOME/.xsession"
elif [ -f "$HOME/.Xclients" ]; then
    userclient="$HOME/.Xclients"
elif [ -f "$HOME/.xinitrc" ]; then
    userclient="$HOME/.xinitrc"
fi

# clean up after xbanner
if [ -f /usr/X11R6/bin/freetemp ]; then
    freetemp
fi

userresources=$HOME/.Xresources
userresources2=$HOME/.Xdefaults
sysresources=/etc/X11/Xresources

# merge in defaults and keymaps
if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $userresources ]; then
    xrdb -merge $userresources
fi

if [ -f $userresources2 ]; then
    xrdb -merge $userresources2
fi

if [ -x /etc/X11/xinit/fixkeyboard ]; then
    /etc/X11/xinit/fixkeyboard
fi

if [ -z "$BROWSER" ] ; then
        # we need to find a browser on this system
        BROWSER=`which netscape`
        if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
        # not found yet
                BROWSER        fi
fi

if [ -z "$BROWSER" ] ; then
        # we need to find a browser on this system
        BROWSER=`which lynx`
        if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
        # not found yet
                BROWSER        else
                BROWSER="xterm -font 9x15 -e lynx"
        fi
fi
export BROWSER

if [ -x /usr/sbin/chksession ];then
    LIST=$(/usr/sbin/chksession -l)
else
    LIST="kde Gnome AfterStep Icewm AnotherLevel failsafe"
fi

# run scripts in /etc/X11/xinit.d
for i in /etc/X11/xinit.d/* ; do
    [ -d $i ] && continue
    # Don't run ??foo.{rpmsave,rpmorig,rpmnew} scripts
    [ "${i%.rpmsave}" != "${i}" ] && continue
    [ "${i%.rpmorig}" != "${i}" ] && continue
    [ "${i%.rpmnew}" != "${i}" ] && continue

    if [ -x $i ]; then
        $i &
    fi
done

# now, we see if xdm/gdm/kdm has asked for a specific environment
if [ $# = 1 ]; then
    case $1 in
        failsafe)
        exec $ssh_agent xterm -geometry 80x24-0-0
        ;;
        default)
        ;;
        *)
        exec $ssh_agent /bin/sh -c "$userclient; $(/usr/sbin/chksession -x=$1)"
        ;;
    esac
else
    # otherwise, take default action
    if [ "x$userclient" != "x:" ]; then
        exec $ssh_agent "$userclient"
    fi

    # We may try with chksession
    if [ -x /usr/sbin/chksession ];then
    #get the first available
        SESSION=$(/usr/sbin/chksession -F)
        [ "$SESSIONxxx" != "xxx" ] && exec $ssh_agent sh -c "$(/usr/sbin/chksess
ion -x=$SESSION)"
    fi

    # Argh! Nothing good is installed. Fall back to icewm
    if [ -x /usr/X11R6/bin/icewm-light ];then
        exec $ssh_agent /usr/X11R6/bin/icewm-light
    else
        # gosh, neither fvwm95 nor fvwm2 is available;
        # fall back to failsafe settings
        xclock -geometry 100x100-5+5 &
        xterm -geometry 80x30-50+150 &
        if [ -x /usr/bin/netscape -a -f /usr/doc/HTML/index.html ]; then
            netscape /usr/doc/HTML/index.html &
        fi
        if [ -x /usr/X11R6/bin/icewm-light ];then
            exec $ssh_agent icewm-light
        elif [ -x /usr/X11R6/bin/twm ];then
            exec $ssh_agent twm
        fi
    fi
fi

# otherwise, take default action
if [ "x$userclient" != "x:" ]; then
    exec $ssh_agent $userclient"
elif [ -x /etc/X11/xinit/Xclients ]; then
    exec $ssh_agent /etc/X11/xinit/Xclients
else
    exec $ssh_agent xsm
fi

End----------------------Xsession--------------------

Start--------------------~/.Xclients--------------------

# ~/.Xclients
# Note that you must *not* put any long running processes in this file
# without putting them in the background with `&'.
# Ensure user ownership of this file. Ensure permissions are 0700

# Add DSA key to ssh-agent
ssh-add  ~/.ssh/id_dsa

# Add RSA key to ssh-agent
ssh-add  ~/.ssh/identity

End------------------~/.Xclients--------------------------



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: XkX/tOYQCZlR2RE8YX06hAQW9qHNJzk6

iQA/AwUBOdUmVQwzV1P/qsETEQKEvwCaA0LxJ0EhuTz8RLkGPzL7O9mUTc8AoMXW
EfyiTmBs7dRWtk51sqa3StHa
Ķav
-----END PGP SIGNATURE-----