Bug 19612 - Parameter "allow_xserver_to_listen" should be also managed for sddm
Summary: Parameter "allow_xserver_to_listen" should be also managed for sddm
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2016-10-17 19:57 CEST by papoteur
Modified: 2018-04-03 20:49 CEST (History)
7 users (show)

See Also:
Source RPM: msec
CVE:
Status comment:


Attachments

Description papoteur 2016-10-17 19:57:23 CEST
Description of problem:
The parameter "allow_xserver_to_listen" is managed for now with gdm and kdm. Managing with sddm is needed.
'''  Allow X server to accept connections from network on tcp port 6000.'''
If someone knows how to parameter it, he is welcome to write that here. ;)
Comment 1 Charles Edwards 2016-10-17 20:36:30 CEST
This can be set in sddm.conf

The default is -nolisten tcp

An example setting to allow tcp would be

[XDisplay]
ServerArguments=-listen tcp

CC: (none) => cae

Comment 2 Giuseppe Ghibò 2016-10-19 15:04:13 CEST
[XDisplay] is no longer supported (at least in cauldron sddm), so [X11] should be used instead.

CC: (none) => ghibomgx

Comment 3 Mageia Robot 2016-10-23 13:33:02 CEST
commit bca8d16114f6c20744962b38879f5e8ba81816fa
Author: Papoteur <papoteur@...>
Date:   Sun Oct 23 11:48:23 2016 +0200

    manage allow_xserver_to_listen also for sddm.conf (mga#19612)
---
 Commit Link:
   http://gitweb.mageia.org/software/msec/commit/?id=bca8d16114f6c20744962b38879f5e8ba81816fa
Comment 4 Giuseppe Ghibò 2016-10-23 19:17:40 CEST
is there the dual option to go back to the secure "-nolisten tcp" in the case?
Comment 5 papoteur 2016-10-23 19:53:18 CEST
Hello Guiseppe,
I don't understand what you mean with "dual option".
If the user set the option allow_xserver_to_listen to "no", then msec delete "-listen tcp" on the line ServerArguments.
As the documentation says that by default, it's the "-nolisten tcp" behavior, I presume that it's enough. Answer this to your question?
Papoteur
Comment 6 Giuseppe Ghibò 2016-10-23 20:01:42 CEST
Ok, sorry I thought it was doing exactly the opposite, i.e. adding
"-listen tcp" to the ServerArguments when the "allow_xserver_to_listen" is set to "yes".
Comment 7 papoteur 2016-10-23 20:22:06 CEST
Hmm,
It adds "-listen tcp" to the ServerArguments when the "allow_xserver_to_listen" is set to "yes", but I think that it's what is needed, isn't it ?
Don't mix with "-nolisten tcp".
Comment 8 papoteur 2017-09-03 08:52:28 CEST
Thus I think we can close this report as Done.
Comment 9 Florian Hubold 2018-01-25 19:16:57 CET
(In reply to papoteur from comment #8)
> Thus I think we can close this report as Done.

FWIW, it's still marked as new - forgot to close it ?

CC: (none) => doktor5000

Comment 10 papoteur 2018-01-26 10:18:57 CET
Yes, we can.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 papoteur 2018-03-08 09:16:33 CET
The option as dealt by msec has no effect.
It seems that the section [X11] is not added before the ServerArguments line.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 12 Mageia Robot 2018-03-08 14:17:31 CET
commit 9242e2516b6bbe83010f80eea8ccc2158f7f8b1c
Author: Papoteur <papoteur@...>
Date:   Thu Mar 8 14:18:31 2018 +0100

    Manage allow_Xserver_to_listen for SDDM, to be included in X11 section (mga#19612)
    
    Manage allow_user_list for SDDM to be included in Users section
---
 Commit Link:
   http://gitweb.mageia.org/software/msec/commit/?id=9242e2516b6bbe83010f80eea8ccc2158f7f8b1c
Comment 13 David Walser 2018-03-15 17:10:01 CET
Whenever this is resolved, it should be fixed for Mageia 6 as well.

Whiteboard: (none) => MGA6TOO
Severity: enhancement => normal

Comment 14 papoteur 2018-03-16 11:30:08 CET
Version 2.6 is pushed on gitweb. It need to be packaged.
Comment 15 David GEIGER 2018-03-20 06:28:39 CET
(In reply to papoteur from comment #14)
> Version 2.6 is pushed on gitweb. It need to be packaged.

Done for Cauldron and mga6 too!

CC: (none) => geiger.david68210

Comment 16 papoteur 2018-03-20 08:05:10 CET
Mageia 6 update:
msec-2.6-1.mga6.i586.rpm
msec-gui-2.6-1.mga6.i586.rpm 
msec-2.6-1.mga6.x86_64.rpm
msec-gui-2.6-1.mga6.x86_64.rpm 

Process to check.
Using SDDM as display manager
1. Check that allow_Xserver_to_listen is set to "no"
2. In console
xhost +
export DISPLAY=MY_IP_ADDRESS:0
xeyes

MY_IP_ADDRESS is to replace with the IP address
Should not work
3. Set allow_Xserver_to_listen is set to "yes"
4. Restart 2. Should display xeyes

Assignee: mageiatools => qa-bugs

Comment 17 David Walser 2018-03-21 21:22:48 CET
Thanks guys!

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 18 Lewis Smith 2018-03-27 14:48:51 CEST
Before testing, some questions;

1) Are we talking only about /etc/sddm.conf ?

2) In that, section [X11]
#ServerArguments=
# Arguments to be passed to the X server. Default value is "-nolisten tcp"

Where is the parameter "allow_xserver_to_listen" ? If I understand c7, "-listen tcp" will be set for the ServerArguments= parameter above if "allow....=yes"(wherever that is).
> Don't mix with "-nolisten tcp"
Is this one boolean with opposite names, or two different ones? i.e. Are they mutually exclusive, or can both be present?

3)
> 1. Check that allow_Xserver_to_listen is set to "no"
> 3. Set allow_Xserver_to_listen is set to "yes"
Where?

4)
> 2. In console
A terminal window, or Ctl/Alt/Fn virtual console?

5)
> export DISPLAY=MY_IP_ADDRESS:0
> MY_IP_ADDRESS is to replace with the IP address
Is 127.0.0.1 OK here?

6). Apart from the given test c16, can the update be checked also by looking at sddm.conf? And/or another file?

7). c0 mentions gdm, kdm [M5, not M8], sddm [M6]. What about LXDM & LightDM?

Sorry for the noise.

CC: (none) => lewyssmith

Comment 19 papoteur 2018-03-28 22:39:58 CEST
Hi Lewis, thanks for dealing with this update.
1/ msecgui manage also other DM, but the modifications of the present update are only for SDDM, and the management of /etc/sddm.conf

2) and 3) allow_xserver_to_listen is a parameter displayed in the msecgui interface, look at the documentation:
https://doc.mageia.org/mcc/6/en/content/msecgui.html#d4e3226

I haven't done the tests with xeyes by myself, but only checked how sddm.conf is written. I think this is enough.

gdm is already managed with this option from msecgui, but nothing is new. The same for xserver and startx.
lxdm and light are not managed by this parameter.
Comment 20 Len Lawrence 2018-03-29 18:17:01 CEST
Continuing this as Lewis is not available.  x86_64.

I had a bit of trouble figuring out what was required here so may have inadvertently caused sddm.conf to acquire the explicit setting:
ServerArguments=-nolisten tcp

Using msecgui I toggled the allow_Xserver_to_listen between 'yes' and 'no' and both times restarted dm and in both cases found that
$ xhost +
$ export DISPLAY=difda:0
prevented xeyes from launching.

After updating msec the behaviour had not changed so I removed sddm and reinstalled it.  Checked sddm.conf and found that there was no setting for ServerArguments under [X11] or anywhere else.  Restarted sddm and ran the experiment again.  This time xeyes launched for this case with allow_Xserver_to_listen = 'yes'
$ xhost +
$ export DISPLAY=difda:0
and sddm.conf had acquired the line:
ServerArguments=-listen tcp
in the [X11] section.
 
This looks OK to me as long as the dm is restarted after the msecgui changes.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 21 Lewis Smith 2018-04-03 12:24:50 CEST
Advisory from c0, c16 and bug RPMs.

Keywords: (none) => advisory

Comment 22 Lewis Smith 2018-04-03 13:38:57 CEST
For my own comprehension, trying M6/64, via SDDM

 BEFORE the update, installed:
msec-2.4-1.mga6
msec-gui-2.4-1.mga6
+ xeyes.

/etc/sddm.conf
#[X11]
#ServerArguments=
#       Arguments to be passed to the X server. Default value is "-nolisten tcp"
#

# msecgui
Security configuration - System security - ALLOW_XSERVER_TO_LISTEN = no

xeyes worked on the current desktop. 
 # | $ xhost +
 access control disabled, clients can connect from any host
Unsure what to free up here, I left it.

Changed via msecgui the paramater noted above to 'yes'.
/etc/sddm.conf
#[X11]
#ServerArguments=
 remained UNchanged after the prompt to apply it. I will re-start X11 to see whether that changes something.
Comment 23 Lewis Smith 2018-04-03 14:33:32 CEST
No it did not.
UPDATE to:
 msec-2.6-1.mga6
 msec-gui-2.6-1.mga6

 # msec-gui
to change ALLOW_XSERVER_TO_LISTEN = between 'no' and 'yes' (it became bold for the latter) made *no* difference to /etc/sddm.conf, whether re-starting X or re-booting. It stayed as:
#ServerArguments=
#     Arguments to be passed to the X server. Default value is "-nolisten tcp"
#

I will try Len's idea of re-installing SDDM... No I won't: it wanted to remove also task-plasma5-minimal (and then what?)! I give up! But Len's point here is important.
> After updating msec the behaviour had not changed so I removed sddm and
> reinstalled it.  Checked sddm.conf and found that there was no setting for
> ServerArguments under [X11].
> Restarted sddm and ran the experiment again.  This time xeyes launched for
> this case with allow_Xserver_to_listen = 'yes'
> sddm.conf had acquired the line:
> ServerArguments=-listen tcp
> in the [X11] section
It seems to me that this update should just reflect in /etc/sddm.conf - #[X11] - #ServerArguments= whatever is set by msecgui interface for ALLOW_XSERVER_TO_LISTEN (no => default nothing, otherwise yes => ServerArguments=-listen tcp.

Validating, but not happy with the contortions to make this 'stick'.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 24 Mageia Robot 2018-04-03 20:49:07 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2018-0057.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.