Debian Bug report logs - #469462
X access wide open on LTSP clients

version graph

Package: ldm; Maintainer for ldm is LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>; Source for ldm is src:ldm.

Reported by: Christian Herzog <herzog@phys.ethz.ch>

Date: Wed, 5 Mar 2008 11:27:01 UTC

Severity: critical

Tags: patch, security

Found in versions ldm/2:0.1~bzr20071217-1, ltsp/0.99debian11

Fixed in versions ldm/2:0.1~bzr20080308-1, ldm/2:0.1~bzr20071217-1+lenny1, ldm/2:0.1~bzr20080326-1

Done: Vagrant Cascadian <vagrant@freegeek.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#469462; Package ltsp. Full text and rfc822 format available.

Acknowledgement sent to Christian Herzog <herzog@phys.ethz.ch>:
New Bug report received and forwarded. Copy sent to LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Herzog <herzog@phys.ethz.ch>
To: submit@bugs.debian.org
Subject: X access wide open on LTSP clients
Date: Wed, 5 Mar 2008 12:16:51 +0100
Package: ltsp
Version: 5.0.40~bzr20080214-1~40.etch.0
Severity: critical

X connections to :6 on LTSP clients are possible from any machine on the
network.

Some notes:

- LDM_DIRECTX = False or True does not change anything
- on the client, X is running with the '-auth /root/.Xauthority' flag.
  However, /root is mounted ro by default. Adding it to copy_dirs in
  /etc/default/ltsp-client-setup allows .Xauthority to be generated, but
  X connections are still possible.
- using iptables rules, we could at least restrict access to the
  terminal server


best,
-Christian
-- 
Dr. Christian Herzog                    e-mail: herzog@phys.ethz.ch
IT Systems Specialist                   voice:      +41 44 633 3950
Department of Physics                   office:           HPR E86.1 
Swiss Federal Institute of Technology 	8093 Zurich,    Switzerland




Tags added: security Request was from Axel Beckert <beckert@phys.ethz.ch> to control@bugs.debian.org. (Wed, 05 Mar 2008 11:57:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#469462; Package ltsp. Full text and rfc822 format available.

Acknowledgement sent to vagrant@freegeek.org:
Extra info received and forwarded to list. Copy sent to LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #12 received at 469462@bugs.debian.org (full text, mbox):

From: vagrant@freegeek.org
To: Christian Herzog <herzog@phys.ethz.ch>, 469462@bugs.debian.org
Subject: Bug#469462: X access wide open on LTSP clients
Date: Sat, 8 Mar 2008 11:07:28 -0800
reassign 469462 ldm
notfound 469462 5.0.40~bzr20080214-1~40.etch.0
found 469462 2:0.1~bzr20071217-1
found 469462 2:0.1~bzr20071217-1
found 469462 0.99debian11
tags 469462 patch
tags 469462 pending
thanks

not that that's out of the way...

On Wed, Mar 05, 2008 at 12:16:51PM +0100, Christian Herzog wrote:
> X connections to :6 on LTSP clients are possible from any machine on the
> network.
> 
> Some notes:
> 
> - LDM_DIRECTX = False or True does not change anything
> - on the client, X is running with the '-auth /root/.Xauthority' flag.
>   However, /root is mounted ro by default. Adding it to copy_dirs in
>   /etc/default/ltsp-client-setup allows .Xauthority to be generated, but
>   X connections are still possible.
> - using iptables rules, we could at least restrict access to the
>   terminal server

thanks for reporting this! i think i have a viable patch below that
fixes the issue, and will include in an upload shortly.

from a post i just made to ltsp-developer@lists.sourceforge.net:

if others haven't figured it out already, it seems like the "-ac" option
(disable access controls) we pass to the X server is what makes it
possible for any person knowing the ip and display number to read
keystrokes on the client and display client windows... a *nasty*
security bug.

it *seems* like the way to ditch it is to *not* pass "-ac" at all, and
to *not* use xauth at all, and it generates a "fake" xauth that isn't
stored anywhere i can find...  but ... is it insecure? it does prevent
any person knowing the ip address and display # to read/write to/from x
clients, and as a side-effect, breaks LDM_DIRECTX. i think that's ok for
the short-term, though long-term i would like to set up proper xauth.

short patch to at least partially address the issue (and hopefully not
provide a false sense of security):

# Shelved patch: only disable access control when in directx mode
--- src/ldm.c   2008-03-05 01:20:28 +0000
+++ src/ldm.c   2008-03-05 22:18:33 +0000
@@ -183,7 +183,8 @@
     argv[i++] = "-auth";
     argv[i++] = ldminfo.authfile;
     argv[i++] = "-br";
-    argv[i++] = "-ac";
+    if (ldminfo.directx)
+        argv[i++] = "-ac";
     argv[i++] = "-noreset";
     if (*ldminfo.fontpath != '\0') {
         argv[i++] = "-fp";
@@ -477,7 +478,7 @@

     fprintf(ldmlog, "Launching Xorg\n");
     launch_x();
-    create_xauth();                         /* recreate .Xauthority */
+    //create_xauth();                         /* recreate .Xauthority */

     if (!ldminfo.autologin) {
         fprintf(ldmlog, _("Spawning greeter: %s\n"), ldminfo.greeter_prog);

live well,
  vagrant




Bug reassigned from package `ltsp' to `ldm'. Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:09 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 5.0.40~bzr20080214-1~40.etch.0. Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:10 GMT) Full text and rfc822 format available.

Bug marked as found in version 2:0.1~bzr20071217-1. Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:11 GMT) Full text and rfc822 format available.

Bug marked as found in version 2:0.1~bzr20071217-1. Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:12 GMT) Full text and rfc822 format available.

Bug marked as found in version 0.99debian11. Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:13 GMT) Full text and rfc822 format available.

Tags added: patch Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:14 GMT) Full text and rfc822 format available.

Tags added: pending Request was from vagrant@freegeek.org to control@bugs.debian.org. (Sat, 08 Mar 2008 19:18:15 GMT) Full text and rfc822 format available.

Reply sent to Vagrant Cascadian <vagrant@freegeek.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Herzog <herzog@phys.ethz.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 469462-close@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@freegeek.org>
To: 469462-close@bugs.debian.org
Subject: Bug#469462: fixed in ldm 2:0.1~bzr20080308-1
Date: Sun, 09 Mar 2008 03:32:02 +0000
Source: ldm
Source-Version: 2:0.1~bzr20080308-1

We believe that the bug you reported is fixed in the latest version of
ldm, which is due to be installed in the Debian FTP archive:

ldm_0.1~bzr20080308-1.diff.gz
  to pool/main/l/ldm/ldm_0.1~bzr20080308-1.diff.gz
ldm_0.1~bzr20080308-1.dsc
  to pool/main/l/ldm/ldm_0.1~bzr20080308-1.dsc
ldm_0.1~bzr20080308-1_i386.deb
  to pool/main/l/ldm/ldm_0.1~bzr20080308-1_i386.deb
ldm_0.1~bzr20080308.orig.tar.gz
  to pool/main/l/ldm/ldm_0.1~bzr20080308.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@freegeek.org> (supplier of updated ldm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  8 Mar 2008 21:42:40 -0500
Source: ldm
Binary: ldm
Architecture: source i386
Version: 2:0.1~bzr20080308-1
Distribution: unstable
Urgency: high
Maintainer: LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@freegeek.org>
Description: 
 ldm        - LTSP display manager
Closes: 469462
Changes: 
 ldm (2:0.1~bzr20080308-1) unstable; urgency=high
 .
   * urgency set to high, as it fixes an RC/security bug, and upstream updates
     are minor.
 .
   * new upstream:
     - move ldm screen.d script to /usr/share/ltsp/screen.d
       + keep symlink to old location
       + patch to work with either /usr/share or /usr/lib
     - move ldm-script and rc.d scripts back to /usr/share/ldm
     - change LDM_ALLOW_GUEST variable to LDM_GUESTLOGIN
 .
   * patch fixing X access security bug (Closes: #469462)
 .
   * debian/rules, debian/control:
     - add support for and depend on dpatch
Files: 
 4894387b71a54f5f1287927c2aa6aa5d 883 misc extra ldm_0.1~bzr20080308-1.dsc
 57051e91358671b79364ba2b1b169b54 444139 misc extra ldm_0.1~bzr20080308.orig.tar.gz
 ddedc4ac34b814c07168957eff037906 5682 misc extra ldm_0.1~bzr20080308-1.diff.gz
 26a5c0ee1df43bdaa0cb6b1828d6e6e6 138604 misc extra ldm_0.1~bzr20080308-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH01cOlPc63BPWGpkRAtLjAJwNrESOmq/+UgXNKmfkNhc4TW+PnACfWMeq
XqkwmwQWtZfBFvaX7lxrT3A=
=zCWM
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#469462; Package ldm. Full text and rfc822 format available.

Acknowledgement sent to vagrant@freegeek.org:
Extra info received and forwarded to list. Copy sent to LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #36 received at 469462@bugs.debian.org (full text, mbox):

From: vagrant@freegeek.org
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Axel Beckert <beckert@phys.ethz.ch>, team@security.debian.org, 469462@bugs.debian.org
Subject: Re: JFYI: #469462 ltsp: X access wide open on LTSP clients
Date: Sun, 9 Mar 2008 08:00:59 -0700
On Sun, Mar 09, 2008 at 02:52:01PM +0100, Moritz Muehlenhoff wrote:
> On Wed, Mar 05, 2008 at 01:29:35PM +0100, Axel Beckert wrote:
> > JFYI: http://bugs.debian.org/469462 may need security updates for
> > Etch...
> 
> Axel, thanks for bringing this our attention. 
> 
> Vagrant, since the ldm source package is not present in Etch, does
> this not affect stable at all or has the code been moved between
> packages?

the ldm package in etch is part of the ltsp source, and while i haven't
verified it for sure, i believe it also is affected by the bug.

the ldm version in etch is implemented in python rather than C, so it
will require a totally different patch.

i will be looking into it over the next couple days.

live well,
  vagrant

p.s. please keep CCing the bug report or
pkg-ltsp-devel@lists.alioth.debian.org so that the rest of the pkg-ltsp
team sees the discussion.




Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#469462; Package ldm. Full text and rfc822 format available.

Acknowledgement sent to vagrant@freegeek.org:
Extra info received and forwarded to list. Copy sent to LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #41 received at 469462@bugs.debian.org (full text, mbox):

From: vagrant@freegeek.org
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 469462@bugs.debian.org, team@security.debian.org, Axel Beckert <beckert@phys.ethz.ch>
Subject: JFYI: #469462 ltsp: X access wide open on LTSP clients
Date: Sun, 9 Mar 2008 19:35:27 -0700
On Sun, Mar 09, 2008 at 08:00:59AM -0700, vagrant@freegeek.org wrote:
> On Sun, Mar 09, 2008 at 02:52:01PM +0100, Moritz Muehlenhoff wrote:

> > Vagrant, since the ldm source package is not present in Etch, does
> > this not affect stable at all or has the code been moved between
> > packages?
> 
> the ldm package in etch is part of the ltsp source, and while i haven't
> verified it for sure, i believe it also is affected by the bug.

yes, i can confirm that the version of ldm (0.99debian11) in etch is
vulnerable.

> the ldm version in etch is implemented in python rather than C, so it
> will require a totally different patch.

applied this patch to the ltsp sources in etch, downloaded from:

http://ftp.de.debian.org/debian/pool/main/l/ltsp/ltsp_0.99debian11.dsc

--- client/ldm.orig	2008-03-09 22:15:23.000000000 -0400
+++ client/ldm	2008-03-09 22:15:34.000000000 -0400
@@ -63,7 +63,7 @@
         os.dup2(logfile.fileno(), sys.stderr.fileno())
 
         while True:
-            server_opts = ['-br', '-ac', '-noreset']
+            server_opts = ['-br', '-noreset']
             
             if self.use_xfs:
                 server_opts += ['-fp', self.fontpath]

i've tested that it prevents people from reading/writing to the X
display, and that ldm still can log in to the server.

note that, when making the security advisory, it may be good to mention
that mention that most ldm installs are likely to be in a chroot
environment (the chroot is exported over NFS), and will not be upgraded
merely by upgrading the server itself. for example, on i386, to upgrade
ldm will likely require:

  chroot /opt/ltsp/i386 apt-get update
  chroot /opt/ltsp/i386 apt-get dist-upgrade

if there is any additional assistance needed, please feel free to
contact pkg-ltsp-devel@lists.alioth.debian.org or make further comments
on the bug report, which will be forwarded to the list.

thanks!

live well,
  vagrant




Reply sent to Vagrant Cascadian <vagrant@freegeek.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Herzog <herzog@phys.ethz.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #46 received at 469462-close@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@freegeek.org>
To: 469462-close@bugs.debian.org
Subject: Bug#469462: fixed in ldm 2:0.1~bzr20071217-1+lenny1
Date: Tue, 18 Mar 2008 18:17:08 +0000
Source: ldm
Source-Version: 2:0.1~bzr20071217-1+lenny1

We believe that the bug you reported is fixed in the latest version of
ldm, which is due to be installed in the Debian FTP archive:

ldm_0.1~bzr20071217-1+lenny1.diff.gz
  to pool/main/l/ldm/ldm_0.1~bzr20071217-1+lenny1.diff.gz
ldm_0.1~bzr20071217-1+lenny1.dsc
  to pool/main/l/ldm/ldm_0.1~bzr20071217-1+lenny1.dsc
ldm_0.1~bzr20071217-1+lenny1_amd64.deb
  to pool/main/l/ldm/ldm_0.1~bzr20071217-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@freegeek.org> (supplier of updated ldm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Mar 2008 14:24:04 -0700
Source: ldm
Binary: ldm
Architecture: source amd64
Version: 2:0.1~bzr20071217-1+lenny1
Distribution: testing-security
Urgency: low
Maintainer: LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@freegeek.org>
Description: 
 ldm        - LTSP display manager
Closes: 469462
Changes: 
 ldm (2:0.1~bzr20071217-1+lenny1) testing-security; urgency=low
 .
   * backport patches from sid:
     - patch fixing X access security bug (Closes: #469462)
     - add support for and build-depend on dpatch
     - include ltsp screen script (previously in ltsp-client-core
       package, needed to start ldm)
     - drop ltspfs related ldm hook scripts (moved to ltspfsd package,
       which conflicts with ldm <= 2:0.1~bzr20071217-1)
Files: 
 15565ba0737365bcfd259830f413b4e3 874 misc optional ldm_0.1~bzr20071217-1+lenny1.dsc
 8e81642bad704654c1cd5583ea224c39 441489 misc optional ldm_0.1~bzr20071217.orig.tar.gz
 644c6ab22e94499c2466f1870c5e3e9b 5729 misc optional ldm_0.1~bzr20071217-1+lenny1.diff.gz
 db35851bdf533c314cb24ac8f95b3156 137608 misc optional ldm_0.1~bzr20071217-1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3+5cHYflSXNkfP8RAgAkAJ0QWfhwRneOueIvqrELp36CsxY4ygCggues
20PD+5rYQF3g9z9p65O9Vvo=
=LNzS
-----END PGP SIGNATURE-----





Reply sent to Vagrant Cascadian <vagrant@freegeek.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Christian Herzog <herzog@phys.ethz.ch>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #51 received at 469462-close@bugs.debian.org (full text, mbox):

From: Vagrant Cascadian <vagrant@freegeek.org>
To: 469462-close@bugs.debian.org
Subject: Bug#469462: fixed in ldm 2:0.1~bzr20080326-1
Date: Wed, 26 Mar 2008 15:47:03 +0000
Source: ldm
Source-Version: 2:0.1~bzr20080326-1

We believe that the bug you reported is fixed in the latest version of
ldm, which is due to be installed in the Debian FTP archive:

ldm_0.1~bzr20080326-1.diff.gz
  to pool/main/l/ldm/ldm_0.1~bzr20080326-1.diff.gz
ldm_0.1~bzr20080326-1.dsc
  to pool/main/l/ldm/ldm_0.1~bzr20080326-1.dsc
ldm_0.1~bzr20080326-1_i386.deb
  to pool/main/l/ldm/ldm_0.1~bzr20080326-1_i386.deb
ldm_0.1~bzr20080326.orig.tar.gz
  to pool/main/l/ldm/ldm_0.1~bzr20080326.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@freegeek.org> (supplier of updated ldm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 26 Mar 2008 06:16:17 -0700
Source: ldm
Binary: ldm
Architecture: source i386
Version: 2:0.1~bzr20080326-1
Distribution: unstable
Urgency: low
Maintainer: LTSP Debian/Ubuntu Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@freegeek.org>
Description: 
 ldm        - LTSP display manager
Closes: 469462
Changes: 
 ldm (2:0.1~bzr20080326-1) unstable; urgency=low
 .
   * new upstream:
     - use xauth when using unencrypted X sessions rather than disabling access
       control restrictions. (Closes: #469462)
     - support arbitrary xserver options
     - use common X code for ltsp screen script
 .
   * drop fix-access-control patch (applied upstream)
 .
   * compatibility with old ltsp versions:
     - include modified copies of screen-x-common and ltsp-common-functions
     - update old-ltsp-compatibility patch, add old-ltsp-xauth-compatibility
       patch to ensure ldm screen script and xauth code works with all ltsp
       versions
Files: 
 422905b3c04caf15ebb530bff22a8fe0 1040 misc extra ldm_0.1~bzr20080326-1.dsc
 d17a0043cd996d66f015f7ce37960eb0 447762 misc extra ldm_0.1~bzr20080326.orig.tar.gz
 14528716dd1e592f78c0b4c0142417cc 7107 misc extra ldm_0.1~bzr20080326-1.diff.gz
 e1ecd1a01a0d9d2d3f09062a8618efcc 140752 misc extra ldm_0.1~bzr20080326-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH6l2LlPc63BPWGpkRAl62AJ9rr1BpKD09NqXG6yFUj4O6ggXDOwCfSbMs
6VVbdhUFWZsPp34gfMAAV6o=
=PvP0
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 24 Apr 2008 07:36:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:09:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.