Sugar-Emulator has no access control
Bug #296604 reported by
mungewell
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Sugar |
Unknown
|
Unknown
|
|||
sugar (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Binary package hint: sugar
Sugar-Emulator uses the '-ac' flag in the Xephyr command line, with turns off access control.
This means that anyone on the network can attach to the display/
With Xephyr on display :1
--
simon@destiny:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp6 0 0 :::6001 :::* LISTEN
--
Simon.
Changed in sugar: | |
status: | Unknown → New |
Changed in sugar: | |
assignee: | nobody → lfaraone |
status: | New → In Progress |
Changed in sugar: | |
importance: | Undecided → Low |
status: | In Progress → Triaged |
Changed in sugar: | |
status: | New → Confirmed |
Changed in sugar: | |
importance: | Critical → Unknown |
status: | Fix Released → Confirmed |
Changed in sugar: | |
status: | Confirmed → Unknown |
To post a comment you must log in.
A quick fix for this would be to use the Xauth file of the running/calling user.
The emulator.py should call 'xauth add <$display> . <random 128bit/32hex char>', and then Xephyr can be called without the '-ac' flag.
The Xephyr server still listens on the TCP/IP ports, but does not allow others to connect unless they have imported the same key to their Xauth file.
Simon.