|
Home : Advisories : Mandrake 7.1 bypasses Xauthority X session security
Title: |
Mandrake 7.1 bypasses Xauthority X session security |
Released by: |
|
Date: |
30th September 2000 |
Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
Summary:
There is a line in the /etc/X11/Xsession file that bypasses the Xauthority
mechanism allowing any local user to connect to another local user's X session.
Fix:
Remove the following line in the /etc/X11/Xsession file and restart X.
/usr/X11R6/bin/xhost + localhost
Full Text:
While trying to figure out why my ~/.Xclients file would not run, I ran across
this line in /etc/X11/Xsession:
# Mandrake-Security : if you remove this comment, remove the next line too.
/usr/X11R6/bin/xhost + localhost
This line disables the Xauthority mechanism on the localhost. Anyone logged
into the localhost can arbitrarily connect to an X server running on the
localhost. IMHO this is a big security hole. Anyone that can connect to your X
server can sniff your keystrokes, see your program output etc. This can easily
lead to local root compromise if the administrator logged in through X and
executed su - and entered the root password.
This may not be so bad for those that use a single machine for each user and
don't setup logins for other people on that single machine. But for those of us
that have large cycle-server machines that have multiple people allowed to
login and run X, this can be a very large hole.
I have not tested every installation route, only "development-expert" and
"server-custom" both with the high-security option turned on. The offending
line is present in the Xsession file on each installation. I suspect that this
line is present in all installation routes.
I also found that the ssh-agent handling is very poor. The Xsession file does
not allow the ~/.Xclients file ever to be run when run under [xkg]dm. When run
under [xkg]dm there is no ability to add new keys to the agent
automatically. Also, Xsession makes assumptions about the version and usage of
SSH that should not be present in the Xsession file, but should be put in the
the users ~/.Xclients file.
I have attached my revised Xsession and ~/.Xclients file. The ~/.Xclients file
should be revised to fit your installation's needs and put in /etc/skel for
future new users. All present users should have the revised ~./Xclients file
placed in their home directories. Ensure the permissions for the ~/.Xclients
file is 0700 and owned by the user. I have not thoroughly tested it in any
environment other than our own.
You only have to put in my revised Xsession/Xclients if you want the improved
ssh-agent handling, it is not necessary to close the security hole. All that is
necessary to close the hole is to remove the offending line.
I have not notified the vendor because the fix is very easy to make on your
own. I suspect that they will see this advisory and act accordingly.
Daniel P. Zepeda
Lead Administrator
University of Texas at San Antonio
Computer Science Information Security Laboratory
dpz@pobox.com
Find my public keys at:
http://www.cs.utsa.edu/~dzepeda/PublicKeys.html
Start----------------Xsession----------------------
#!/bin/bash -login
# Modification for Linux-Mandrake by Chmouel Boudjnah
# 20000309, Francis Galiegue : imwheel -k added for wheel
# mice and braindead-not-supporting-wheel-yet toolkits (this includes Qt...)
#
# Modified to correctly execute a user's .Xclient, .xinitrc etc.
# also corrected usage of ssh-agent. Daniel P. Zepeda
# redirect errors to a file in user's home directory if we can
for errfile in "$HOME/.xsession-errors" "${TMPDIR-/tmp}/xses-$USER" "/tmp/xses-$USER"
do
if ( cp /dev/null "$errfile" 2> /dev/null )
then
chmod 600 "$errfile"
exec > "$errfile" 2>&1
break
fi
done
# Mandrake default background
xsetroot -solid \#356390
if [ -f /usr/bin/ssh-agent ]; then
ssh_agent="/usr/bin/ssh-agent"
fi
# Set user's client if present - dpz
userclient=":"
if [ -f "$HOME/.xsession" ]; then
userclient="$HOME/.xsession"
elif [ -f "$HOME/.Xclients" ]; then
userclient="$HOME/.Xclients"
elif [ -f "$HOME/.xinitrc" ]; then
userclient="$HOME/.xinitrc"
fi
# clean up after xbanner
if [ -f /usr/X11R6/bin/freetemp ]; then
freetemp
fi
userresources=$HOME/.Xresources
userresources2=$HOME/.Xdefaults
sysresources=/etc/X11/Xresources
# merge in defaults and keymaps
if [ -f $sysresources ]; then
xrdb -merge $sysresources
fi
if [ -f $userresources ]; then
xrdb -merge $userresources
fi
if [ -f $userresources2 ]; then
xrdb -merge $userresources2
fi
if [ -x /etc/X11/xinit/fixkeyboard ]; then
/etc/X11/xinit/fixkeyboard
fi
if [ -z "$BROWSER" ] ; then
# we need to find a browser on this system
BROWSER=`which netscape`
if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
# not found yet
BROWSER=
fi
fi
if [ -z "$BROWSER" ] ; then
# we need to find a browser on this system
BROWSER=`which lynx`
if [ -z "$BROWSER" ] || [ ! -e "$BROWSER" ] ; then
# not found yet
BROWSER=
else
BROWSER="xterm -font 9x15 -e lynx"
fi
fi
export BROWSER
if [ -x /usr/sbin/chksession ];then
LIST=$(/usr/sbin/chksession -l)
else
LIST="kde Gnome AfterStep Icewm AnotherLevel failsafe"
fi
# run scripts in /etc/X11/xinit.d
for i in /etc/X11/xinit.d/* ; do
[ -d $i ] && continue
# Don't run ??foo.{rpmsave,rpmorig,rpmnew} scripts
[ "${i%.rpmsave}" != "${i}" ] && continue
[ "${i%.rpmorig}" != "${i}" ] && continue
[ "${i%.rpmnew}" != "${i}" ] && continue
if [ -x $i ]; then
$i &
fi
done
# now, we see if xdm/gdm/kdm has asked for a specific environment
if [ $# = 1 ]; then
case $1 in
failsafe)
exec $ssh_agent xterm -geometry 80x24-0-0
;;
default)
;;
*)
exec $ssh_agent /bin/sh -c "$userclient; $(/usr/sbin/chksession -x=$1)"
;;
esac
else
# otherwise, take default action
if [ "x$userclient" != "x:" ]; then
exec $ssh_agent "$userclient"
fi
# We may try with chksession
if [ -x /usr/sbin/chksession ];then
#get the first available
SESSION=$(/usr/sbin/chksession -F)
[ "$SESSIONxxx" != "xxx" ] && exec $ssh_agent sh -c "$(/usr/sbin/chksession -x=$SESSION)"
fi
# Argh! Nothing good is installed. Fall back to icewm
if [ -x /usr/X11R6/bin/icewm-light ];then
exec $ssh_agent /usr/X11R6/bin/icewm-light
else
# gosh, neither fvwm95 nor fvwm2 is available;
# fall back to failsafe settings
xclock -geometry 100x100-5+5 &
xterm -geometry 80x30-50+150 &
if [ -x /usr/bin/netscape -a -f /usr/doc/HTML/index.html ]; then
netscape /usr/doc/HTML/index.html &
fi
if [ -x /usr/X11R6/bin/icewm-light ];then
exec $ssh_agent icewm-light
elif [ -x /usr/X11R6/bin/twm ];then
exec $ssh_agent twm
fi
fi
fi
# otherwise, take default action
if [ "x$userclient" != "x:" ]; then
exec $ssh_agent $userclient"
elif [ -x /etc/X11/xinit/Xclients ]; then
exec $ssh_agent /etc/X11/xinit/Xclients
else
exec $ssh_agent xsm
fi
End----------------------Xsession--------------------
Start--------------------~/.Xclients--------------------
# ~/.Xclients
# Note that you must *not* put any long running processes in this file
# without putting them in the background with `&'.
# Ensure user ownership of this file. Ensure permissions are 0700
# Add DSA key to ssh-agent
ssh-add ~/.ssh/id_dsa
# Add RSA key to ssh-agent
ssh-add ~/.ssh/identity
End------------------~/.Xclients--------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: XkX/tOYQCZlR2RE8YX06hAQW9qHNJzk6
iQA/AwUBOdUmVQwzV1P/qsETEQKEvwCaA0LxJ0EhuTz8RLkGPzL7O9mUTc8AoMXW
EfyiTmBs7dRWtk51sqa3StHa
=Cdav
-----END PGP SIGNATURE-----
|