SuSE GmbH

SuSE Support Database

Title: Worldwide access to the xdm/kdm login manager

----------

Mainpage o Searchform o History o Versions o Categories o Contents
Deutsch

----------

Worldwide access to the xdm/kdm login manager

Applies to

SuSE Linux: Version 6.2

Symptom

After the konfiguration of the graphical login kdm or xdm other (linux) computers are able to access the running login manager via the command X -query computername. This is no problem when using the xdm, but if you are using kdm it is possible that everybody can shutdown the computer using the `shutdown' dialog of the kdm login screen. Even if the attacker does not have an account on the affected computer he can shut it down.

Cause

In the standard configuration all accesses to the xdm/kdm login manager are allowed. This behaviour can be configured by editing the file /usr/X11R6/lib/X11/xdm/Xaccess.

Solution

Please edit the file /usr/X11R6/lib/X11/xdm/Xaccess. Search for the lines:

# In all cases, xdm uses the first entry which matches the terminal;
# for IndirectQuery messages only entries with right hand sides can
# match, for Direct and Broadcast Query messages, only entries without
# right hand sides can match.
#

*                                      #any host can get a login window
and near the end of the file
# The nicest way to run the chooser is to just ask it to broadcast
# requests to the network - that way new hosts show up automatically.
# Sometimes, however, the chooser can't figure out how to broadcast,
# so this may not work in all environments.
#

*              CHOOSER BROADCAST       #any indirect host can get a chooser
and replace them by the following lines. Only a `!' character is added before the `*' and the comment is changed.
# In all cases, xdm uses the first entry which matches the terminal;
# for IndirectQuery messages only entries with right hand sides can
# match, for Direct and Broadcast Query messages, only entries without
# right hand sides can match.
#

!*                                      #no host can get a login window
bzw.
# The nicest way to run the chooser is to just ask it to broadcast
# requests to the network - that way new hosts show up automatically.
# Sometimes, however, the chooser can't figure out how to broadcast,
# so this may not work in all environments.
#

!*              CHOOSER BROADCAST       #no indirect host can get a chooser

After this changes and a restart of the xdm/kdm login manager the xdm/kdm can only be accessed by the X-Server started by xdm/kdm. Hosts trying to access it over the network are denied.

----------

Keywords: KDM, XDM, KDE, SHUTDOWN

----------

Mainpage o Searchform o History o Versions o Categories o Contents
Deutsch

----------

SDB-cg_xdmcp, Copyright SuSE GmbH, Nuremberg, Germany - Version: 25. Aug 1999
SuSE GmbH - Last generated: 11. Oct 1999 11:51:09 by nm with sdb_gen 1.00.0