Seth R Arnold <sarnold@willamette.edu> wrote:

I checked the Xaccess file on a SuSE 6.0 machine near me -- and though I do not know exactly what the thing does, the comments in the file lead me to believe that the poster is correct...

----- Forwarded message from Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> -----

Date: Wed, 18 Aug 1999 12:26:20 +0200 From: Jochen Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE> Subject: XDM Insecurity revisited To: BUGTRAQ@SECURITYFOCUS.COM

On Wed, 26 Nov 1997 Eric Augustus (augustus@stic.net) posted a message on BUGTRAQ about the fact, that the default Xaccess file allows XDMCP connections from any host. As you know, this can be used to get a login screen on any host and therefore get around access control mechanisms like tcpwrapper and root login restriction to the console.

However, this warning seemed to have little effect as (at least) Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still (1.5 years later) shipped with this default Xaccess file. It is somehow ironic that e.g. SuSE now uses tcpwrappers by default on most TCP services in it's distribution and describes the use of tcpwrappers in the manual in a special chapter about security, but fails to close (or even mention) that way to circumvent login restrictions. [...]

You can modify the starproc call in the "start)" section of /sbin/init.d/xdm to read startproc $DISPLAYMANAGER -udpPort 0 || return=$rc_failed xdm/kdm isn't listening for XDMCP requests then. Maybe that could be an rc.config option (something like USE_XDMCP). I'll suggest it to SuSE developers. Regards, Lutz -- _ | Lutz Pressler | Tel: ++49-551-3700002 |_ |\ | | Service Network GmbH | FAX: ++49-551-3700009 ._|ER | \|ET | Hannah-Vogt-Strasse 1 | mailto:lp@SerNet.DE Service Network | D-37085 Goettingen | http://www.SerNet.DE/