VNC / XDMCP server cannot be configured to listen on specific interfaces

Bug #1390808 reported by James Walters on 2014-11-08
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Wishlist
Unassigned
1.10
Wishlist
Unassigned
1.14
Wishlist
Unassigned
1.2
Wishlist
Unassigned
lightdm (Ubuntu)
Wishlist
Unassigned
Precise
Wishlist
Unassigned
Trusty
Wishlist
Unassigned
Vivid
Wishlist
Robert Ancell

Bug Description

[Impact]
The XDMCP and VNC servers in LightDM allow connections on any network interface. It is desirable for these to be limited to a particular interface to limit who can connect (i.e. only allow local connections on 127.0.0.1).

[Test Case]
1. Enable the VNC server in LightDM in lightdm.conf:
[VNCServer]
enabled=true
listen-address=127.0.0.1
2. Start LightDM
With this setup you should only be able to make a local connection.

[Regression potential]
Low. If the option is not set LightDM has the old behaviour.

information type: Private Security → Public
James Walters (x5q9b8n384) wrote :

https://superuser.com/questions/803057/force-vncserver-started-by-lightdm-to-localhost-on-ubuntu-14-04

... shows someone else with the same problem (and nobody answering).

Robert Ancell (robert-ancell) wrote :

Do you have a suggested format for the configuration? Is there a convention for options like this?

Changed in lightdm:
status: New → Triaged
importance: Undecided → Wishlist
James Walters (x5q9b8n384) wrote :

Why is this "wishlist"? Without a fix for this, everybody that needs to use a VNC server over a tunnel is out of luck and very insecure if they want to use LightDM's server. And that's a shame because it would be so convenient to set it once and let LightDM take care of all of the rest of the gory details.

How about doing this like SSHD does it?

http://www.manpagez.com/man/5/sshd_config/

>> LightDM already does the same thing with "Port"; make sure multiple instances are allowed
     Port Specifies the port number that sshd(8) listens on. The default
             is 22. Multiple options of this type are permitted. See also
             ListenAddress.

>>> so add ListenAddress, allowing multiple instances
     ListenAddress
             Specifies the local addresses sshd(8) should listen on. The fol-
             lowing forms may be used:

                   ListenAddress host|IPv4_addr|IPv6_addr
                   ListenAddress host|IPv4_addr:port
                   ListenAddress [host|IPv6_addr]:port

             If port is not specified, sshd will listen on the address and all
             prior Port options specified. The default is to listen on all
             local addresses. Multiple ListenAddress options are permitted.
             Additionally, any Port options must precede this option for non-
             port qualified addresses.

Robert Ancell (robert-ancell) wrote :

"Wishlist" is the category on Launchpad for enhancements / new features.

Robert Ancell (robert-ancell) wrote :

lp:~robert-ancell/lightdm/listen-address contains a proposed fix for this. If you are able to test this that would be great.

Changed in lightdm:
milestone: none → 1.13.0
Changed in lightdm (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Wishlist
Changed in lightdm (Ubuntu Trusty):
status: New → Triaged
Changed in lightdm (Ubuntu Utopic):
importance: Undecided → Wishlist
Changed in lightdm (Ubuntu Vivid):
importance: Undecided → Wishlist
Changed in lightdm (Ubuntu Trusty):
importance: Undecided → Wishlist
Changed in lightdm (Ubuntu Utopic):
status: New → Triaged
Changed in lightdm (Ubuntu Vivid):
status: New → Triaged
summary: - VNC server cannot be configured to listen on specific interfaces
+ VNC / XDMCP server cannot be configured to listen on specific interfaces
Changed in lightdm:
status: Triaged → Fix Released
Changed in lightdm:
status: Fix Released → Triaged
milestone: 1.13.0 → 1.13.1
status: Triaged → In Progress
description: updated
Changed in lightdm:
milestone: 1.13.1 → 1.13.2
Changed in lightdm:
milestone: 1.13.2 → 1.13.4
Changed in lightdm:
status: In Progress → Triaged
Changed in lightdm:
milestone: 1.13.3 → 1.15.0
Changed in lightdm:
milestone: 1.15.0 → 1.15.2
Changed in lightdm (Ubuntu Utopic):
status: Triaged → Won't Fix
no longer affects: lightdm/1.12
no longer affects: lightdm (Ubuntu Utopic)
Changed in lightdm:
milestone: 1.15.2 → 1.15.1
status: Triaged → Fix Committed
Changed in lightdm:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.15.1-0ubuntu1

---------------
lightdm (1.15.1-0ubuntu1) wily; urgency=medium

  * New upstream release:
    - Fix default X server command set to XMir in 1.15.0.
    - Internally merge the [SeatDefaults] and [Seat:*] sections together. The
      previous method meant configuration snippets using a mix of old and new
      naming would not correctly override eachother.
    - Use IP address of XDMCP requests to contact X server if available.
      (LP: #1481561)
    - Add an option for XDMCP and VNC servers to only listen on one address.
      (LP: #1390808)
    - Fix configuration file warnings so they go to the log, not stderr.
    - Warn if deprecated options logind-load-seats or xdg-seat are in
      configuration. (LP: #1468057)
    - Improve IP addresses in XDMCP log messages.
    - Fix typo in dm-tool man page. (LP: #1470587)

 -- Robert Ancell <email address hidden> Wed, 05 Aug 2015 16:53:39 +1200

Changed in lightdm (Ubuntu):
status: Triaged → Fix Released
Changed in lightdm (Ubuntu Vivid):
status: Triaged → In Progress
assignee: nobody → Robert Ancell (robert-ancell)

Hello James, or anyone else affected,

Accepted lightdm into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.14.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Robert Ancell (robert-ancell) wrote :

Fixed on vivid. I attempted to connect using the ethernet interfaces address (Xephyr :1 -query <address>) and was not able to when this option is enabled.

tags: added: verification-done-vivid
removed: verification-needed
Chris J Arges (arges) wrote :

Hello James, or anyone else affected,

Accepted lightdm into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.10.6-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Robert Ancell (robert-ancell) wrote :

Fixed on trusty. I attempted to connect using the ethernet interfaces address (Xephyr :1 -query <address>) and was not able to when this option is enabled.

tags: added: verification-done-trusty
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.10.6-0ubuntu1

---------------
lightdm (1.10.6-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Handle trailing whitespace on boolean values in configuration.
      (LP: #1507033)
    - Use libaudit to generate audit events.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049)
    - Add LC_PAPER, LC_NAME, LC_ADDRESS, LC_TELEPHONE, LC_MEASUREMENT and
      LC_IDENTIFICATION variables to the list of inherited locale variables.
      (LP: #1511259)
    - Add a backup-logs option that can be used to disable existing logging
      files having a .old suffix added to them.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required. (LP: #1449282)
    - Use IP address of XDMCP requests to contact X server if available.
      (LP: #1481561)
    - Implement XDMCP ForwardQuery. (LP: #1511545)
    - Add an option for XDMCP and VNC servers to only listen on one address.
      (LP: #1390808)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Fix small memory leak in XDMCP logging code.
    - Fix typo in dm-tool man page. (LP: #1470587)
    - Use new Xmir binary when running X under Unity System Compositor.
    - Fix all the things that prevent clang (3.5) from building LightDM with
      -Werror.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:07:50 +1300

Changed in lightdm (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.14.4-0ubuntu1

---------------
lightdm (1.14.4-0ubuntu1) vivid; urgency=medium

  * New upstream release:
    - Handle XDMCP Request packet with no addresses. (LP: #1516831)
    - Don't start LightDM if the XDMCP server is configured with a key that
      doesn't exist. (LP: #1517685)
    - Add IP addresses to XDMCP log messages.
    - Refactor XDMCP error handling.
    - Add more tests.

 -- Robert Ancell <email address hidden> Fri, 20 Nov 2015 16:01:15 +1300

Changed in lightdm (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers