reassign 469462 ldm
notfound 469462 5.0.40~bzr20080214-1~40.etch.0
found 469462 2:0.1~bzr20071217-1
found 469462 2:0.1~bzr20071217-1
found 469462 0.99debian11
tags 469462 patch
tags 469462 pending
thanks
not that that's out of the way...
On Wed, Mar 05, 2008 at 12:16:51PM +0100, Christian Herzog wrote:
> X connections to :6 on LTSP clients are possible from any machine on the
> network.
>
> Some notes:
>
> - LDM_DIRECTX = False or True does not change anything
> - on the client, X is running with the '-auth /root/.Xauthority' flag.
> However, /root is mounted ro by default. Adding it to copy_dirs in
> /etc/default/ltsp-client-setup allows .Xauthority to be generated, but
> X connections are still possible.
> - using iptables rules, we could at least restrict access to the
> terminal server
thanks for reporting this! i think i have a viable patch below that
fixes the issue, and will include in an upload shortly.
from a post i just made to [EMAIL PROTECTED]:
if others haven't figured it out already, it seems like the "-ac" option
(disable access controls) we pass to the X server is what makes it
possible for any person knowing the ip and display number to read
keystrokes on the client and display client windows... a *nasty*
security bug.
it *seems* like the way to ditch it is to *not* pass "-ac" at all, and
to *not* use xauth at all, and it generates a "fake" xauth that isn't
stored anywhere i can find... but ... is it insecure? it does prevent
any person knowing the ip address and display # to read/write to/from x
clients, and as a side-effect, breaks LDM_DIRECTX. i think that's ok for
the short-term, though long-term i would like to set up proper xauth.
short patch to at least partially address the issue (and hopefully not
provide a false sense of security):
# Shelved patch: only disable access control when in directx mode
--- src/ldm.c 2008-03-05 01:20:28 +0000
+++ src/ldm.c 2008-03-05 22:18:33 +0000
@@ -183,7 +183,8 @@
argv[i++] = "-auth";
argv[i++] = ldminfo.authfile;
argv[i++] = "-br";
- argv[i++] = "-ac";
+ if (ldminfo.directx)
+ argv[i++] = "-ac";
argv[i++] = "-noreset";
if (*ldminfo.fontpath != '\0') {
argv[i++] = "-fp";
@@ -477,7 +478,7 @@
fprintf(ldmlog, "Launching Xorg\n");
launch_x();
- create_xauth(); /* recreate .Xauthority */
+ //create_xauth(); /* recreate .Xauthority */
if (!ldminfo.autologin) {
fprintf(ldmlog, _("Spawning greeter: %s\n"), ldminfo.greeter_prog);
live well,
vagrant
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
