COMMAND

    Xsession

SYSTEMS AFFECTED

    Mandrake 7.1

PROBLEM

    Daniel  P.  Zepeda  found  following.   There  is  a  line  in the
    /etc/X11/Xsession  file  that  bypasses  the  Xauthority mechanism
    allowing  any  local  user  to  connect  to another local user's X
    session.

    While trying  to figure  out why  his ~/.Xclients  file would  not
    run, Daniel ran across this line in /etc/X11/Xsession:

        # Mandrake-Security : if you remove this comment, remove the next line too.
        /usr/X11R6/bin/xhost + localhost

    This  line  disables  the  Xauthority  mechanism on the localhost.
    Anyone logged into the localhost  can arbitrarily connect to an  X
    server running  on the  localhost.   This is  a big security hole.
    Anyone  that  can  connect  to  your  X  server  can  sniff   your
    keystrokes, see your program output etc.  This can easily lead  to
    local root  compromise if  the administrator  logged in  through X
    and executed su - and entered the root password.

    This may not  be so bad  for those that  use a single  machine for
    each user and don't setup  logins for other people on  that single
    machine.   But  for  those  of  us  that  have  large cycle-server
    machines that  have multiple  people allowed  to login  and run X,
    this can be a very large hole.

    This  has  not   been  tested  every   installation  route,   only
    "development-expert"   and   "server-custom"    both   with    the
    high-security option turned on.  The offending line is present  in
    the Xsession file on each installation.

    Daniel also found that the  ssh-agent handling is very poor.   The
    Xsession file does not allow  the ~/.Xclients file ever to  be run
    when run under [xkg]dm. When run under [xkg]dm there is no ability
    to add new keys to  the agent automatically.  Also, Xsession makes
    assumptions about the version and usage of SSH that should not  be
    present in the Xsession file, but  should be put in the the  users
    ~/.Xclients file.

SOLUTION

    Remove  the  following  line  in  the  /etc/X11/Xsession  file and
    restart X.

        /usr/X11R6/bin/xhost + localhost

    All present users should have the revised ~./Xclients file  placed
    in  their  home  directories.  Ensure  the  permissions  for   the
    ~/.Xclients file is 0700 and owned by the user.

    For Linux-Mandrake:

        Linux-Mandrake 7.0: 7.0/RPMS/xinitrc-2.4.4-11mdk.noarch.rpm
                            7.0/SRPMS/xinitrc-2.4.4-11mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/xinitrc-2.4.4-24mdk.noarch.rpm
                            7.1/SRPMS/xinitrc-2.4.4-24mdk.src.rpm