You are not logged in.

#1 2017-01-03 19:32:13

Andy Random
Member
Registered: 2017-01-03
Posts: 4

MATE Session Handler default configuration is listen on a TCP ports

The MATE Session Handler (/usr/bin/mate-session) default configuration is to listen on a TCP V4 and TCP V6 port.
On all interfaces !
This is a total unnecessary security risk.

Package version:
Arch Linux i386 (but very likely on all platforms). mate-session-manager 1.16.0-2 (mate mate-gtk3)

config files etc.
/etc/lightdm/lightdm.conf
[XDMCPServer]
#enabled=false

ps axu | grep -e "X[org]"
/usr/lib/xorg-server/Xorg :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mate-sess 899 me 13u IPv6 22760 0t0 TCP *:35757 (LISTEN)
mate-sess 899 me 14u IPv4 22761 0t0 TCP *:43365 (LISTEN)

Steps to reproduce:
startx

The software author is aware of the problem:
grep -A1 -ne "security reasons" mate-session-manager-1.16.0/mate-session/gsm-xsmp-server.c
566: * hosts, so for security reasons it would be best if ICE didn't
567- * even open any non-local sockets. So we use an internal ICElib

There are user complains since back from 2014:
https://bbs.archlinux.org/viewtopic.php?id=182726
https://bbs.archlinux.de/viewtopic.php?id=25645
with ZERO REACTION ! (and some wrong advise...)
Is this on purpure to increase the attack area of a default Mate installation ?
I couldn't find any documentation, nowhere, how to stop that.

Any suggestions ?

Offline

#2 2017-01-03 20:03:31

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,407
Website

Re: MATE Session Handler default configuration is listen on a TCP ports

Barking up the wrong tree.

https://github.com/mate-desktop/mate-se … ger/issues

P.S. Perhaps English is not your native language, but claiming things like "on purpose to increase the attack area" is a prime example of FUD.


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#3 2017-01-03 20:13:38

Andy Random
Member
Registered: 2017-01-03
Posts: 4

Re: MATE Session Handler default configuration is listen on a TCP ports

Hello Alad,

thank you very much for your helpful advice.
Done.
https://github.com/mate-desktop/mate-se … issues/131

> "on purpose to increase the attack area" is a prime example of FUD
So be modest like the 2014 (and older) complains lead to ANY results ?

Last edited by Andy Random (2017-01-03 20:13:59)

Offline

#4 2017-01-18 21:56:11

Andy Random
Member
Registered: 2017-01-03
Posts: 4

Re: MATE Session Handler default configuration is listen on a TCP ports

Finally some competent people at https://github.com/mate-desktop/mate-se … issues/131 have fixed the issue. Many thanks @Enverex and @monsta.
Update to  1.16.0-3 (mate mate-gtk3) and the ports should be closed.

Offline

Board footer

Powered by FluxBB