# Port 6000: open

## febs

One of the things I love of Gentoo is it's behaviour of do NOT opening any port/service, unless it's explicitly instructed to do so.

So, I was quite surprised to find, in a new installation with X.org 6.8, the port 6000 open to the world.

I consider this behaviour a bug. If you agree and there is not a bugzilla issue about this, I will file one.

Thanx for reading me.

----------

## adaptr

 *febs wrote:*   

> One of the things I love of Gentoo is it's behaviour of do NOT opening any port/service, unless it's explicitly instructed to do so.

 

That is not a feature of any kind, and simply not true in so many situations.

That you perceive it as a certain behaviour does not make it so.

In this case, it isn't so.

 *febs wrote:*   

> So, I was quite surprised to find, in a new installation with X.org 6.8, the port 6000 open to the world.

 

Not open to the world - open, period.

Without it, not even the local X server can connect to clients.

 *febs wrote:*   

> I consider this behaviour a bug. If you agree and there is not a bugzilla issue about this, I will file one.

 

You have little idea what you're talking about.

But by all means file a "bug" if you want to look silly.

----------

## febs

Self reply.

It's a bug of Entrance, and it's already filed. 

https://bugs.gentoo.org/show_bug.cgi?id=65903

I hope this micro-thread can warn someone of the danger anyhow.

Ciao  :Smile: 

----------

## febs

 *Quote:*   

> 
> 
> You have little idea what you're talking about.
> 
> 

 

You are just wrong.

How do you interpret this?

```

netstat -lpt

tcp        0      0 *:6000                  *:*                     LISTEN      6765/X

```

Learn to use netstat, and to be more gentle.

----------

## adaptr

 *febs wrote:*   

> How do you interpret this?
> 
> ```
> 
> netstat -lpt
> ...

 

As a listening X server.

----------

## febs

On a TCP socket, not on a UNIX one. Read the first field of the output (and the command line options: "t" means "tcp").

----------

## revertex

same here, using xdm everything is ok, but with entrance port 6000 is listening.

why is so hard to find docs about entrance?

----------

## adaptr

Seeing as you come from Debian, here's one you should like:

If the Entrance docs are so hard to find, why use it ?

----------

## r1k0d3r

hi,

i am surprised to read such remarks, 

 *Quote:*   

> One of the things I love of Gentoo is it's behaviour of do NOT opening any port/service, unless it's explicitly instructed to do so.
> 
> So, I was quite surprised to find, in a new installation with X.org 6.8, the port 6000 open to the world.
> 
> I consider this behaviour a bug. If you agree and there is not a bugzilla issue about this, I will file one. 

 

please beware of such posting.

first i would like to say that it ain't no bug at all, and that maybe you guys should ask google a bit longer before always supposing there is a bug.

i don't remember from which version of Xorg it begun with but all previous version have the port 6000 opend.Why? because its X remote forwarding, as X listen to a tcp connection. Go ask th slackware community for example which have a precompiled version of Xorg 6.7, they all have port 6000 opend, you just have to be aware of it and config it.

Yes it is dangerous but it AINT a bug at all..

if you have compiled your X with some specific flags (i dont remeber is it tcp ethernet or network?) then port 6000 will open when u start X

if you have done so and dont wanna recompil the source , then when you startx type:

$startx -- -nolisten tcp

this command will pass to the X server the nolisten tcp option will disable the listening on the port 6000..

test it with nmap or netstat you will see the port closed

so here budy dont go send useless bug forms to the maintainers theyll rip you off

just READ READ READ READ and GOOGLE GOOGLE GOOGLE

bless

----------

## revertex

 *adaptr wrote:*   

> Seeing as you come from Debian, here's one you should like:
> 
> If the Entrance docs are so hard to find, why use it ?

 

lol, just discovered debian long time after gentoo, why use entrance?

entrance is faster than qingy in my machine, looks far better than others (IMHO) and have a very few dependencies compared with gdm and  kdm, and i don't like wdm.

 *r1k0d3r wrote:*   

> hi,
> 
> when you startx type:
> 
> $startx -- -nolisten tcp
> ...

 

r1k0d3r, i don't use startx anymore, there is no proposal to use a login manager and start xsession from cli, my question is where i can find some documentation about how to parse some commands like "-nolisten tcp", "-dpi 100" -br" to entrance?

it seems not implemented, but i can't find nothing about. 

the most useful that i have found is this.

http://www.atmos.org/docs/entrance/index.html#intro

----------

## r1k0d3r

ok 

My post was strictly a response to febs, the first post which noone seemed to have answered directly..

now

 *Quote:*   

> r1k0d3r, i don't use startx anymore, there is no proposal to use a login manager and start xsession from cli, my question is where i can find some documentation about how to parse some commands like "-nolisten tcp", "-dpi 100" -br" to entrance?
> 
> it seems not implemented, but i can't find nothing about.
> 
> the most useful that i have found is this. 

 

concerning your matter, i dont have exactly your answer but maybe a clue..

i've just looked at Entrance, and for my part iam using 

rox-session

for my xsession manager knowing that i run fluxbox xfce and wm

there is a new tool too for fluxbox i think its fluxspace, have a look but for me rox-session is just great ...

hope it'll help

bless

----------

## vrln

It's not entrance with port 6000 open, it's X. For some reason entrance starts X without --nolisten-tcp.

----------

## revertex

 *vrln wrote:*   

> It's not entrance with port 6000 open, it's X. For some reason entrance starts X without --nolisten-tcp.

 

Good answer, vrln, my only question is where in hell are the docs that explain how to make entrance not listen tcp.

entrance is like a flying saucer, it can across the galaxy if i know how to start the engine.  :Shocked: 

----------

## vrln

 *revertex wrote:*   

>  *vrln wrote:*   It's not entrance with port 6000 open, it's X. For some reason entrance starts X without --nolisten-tcp. 
> 
> Good answer, vrln, my only question is where in hell are the docs that explain how to make entrance not listen tcp.
> 
> entrance is like a flying saucer, it can across the galaxy if i know how to start the engine. 

 

I've been thinking about this quite alot... haven't figured out anything yet. :/

----------

## MickKi

Brand new installation, just vanilla X (no fancy display or environment manager yet installed) gives the same open port when xdm is added to rc-update default runlevel.

However, if xdm is removed from default rc and X is started from the console using startx, the "- nolisten tcp" is now present and port 6000 is closed.

I am thinking aloud (but can't try it from work):

Check that

```
:0 local /usr/X11R6/bin/X -nolisten tcp
```

 is present in /etc/X11/xdm/Xservers.

Also check that 

```
serverargs="-nolisten tcp"
```

 is present in /usr/X11R6/bin/startx

and perhaps (?) 

```
:0 local@tty1 /usr/X11R6/bin/X -dpi96 vt7 -nolisten tcp
```

 in your /usr/share/config/kdm/Xservers if you're running kdm and your dpi is 96 (but that can be ommitted).  I would also check the file /opt/kde/share/config/kdm/Xservers for the same entry.  Finally for gdm lovers: 

```
[servers]

0=/usr/X11R6/bin/X -nolisten tcp
```

 should be present in /etc/X11/gdm/gdm.conf.  The above can be followed a step at a time and check to see if port 6000 is closed.  If all of the above has been tried and 6000 is still open then I've run out of ideas . . .   :Confused: 

I've also noticed with my xdm vanilla session that there is another port opened by xsm - somewhere around the 33XX range if I remember correctly, when xdm is added to the rc default level.

----------

## MickKi

OK the above was a bit of an overkill!  :Laughing: 

Actually, all I needed to change was the first entry in /etc/X11/xdm/Xservers and port 6000 was thereafter found closed no matter how X was launched.  It may have been a different story if I had emerged KDE, Gnome, etc.  Will check again in the future when I am done installing applications on this box.

Anyway, launching xdm through rc-update I get this funny port opened: 

```
# netstat -tanv

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 0.0.0.0:32768           0.0.0.0:*               LISTEN
```

 and this is caused by xsm: 

```
# fuser -v -n tcp 32768

here: 32768

                     USER        PID ACCESS COMMAND

32768/tcp            michael    9274 f....  xsm

                     michael    9291 f....  twm

                     michael    9293 f....  smproxy

                     michael    9295 f....  xterm

                     michael    9297 f....  bash

                     michael    9369 f....  xterm

                     michael    9371 f....  bash

                     michael    9374 f....  opera

                     root       9385 f....  su

                     root       9388 f....  bash

                     root       9436 f....  dhcpcd

                     michael    9450 f....  xterm

                     michael    9452 f....  bash

                     root       9455 f....  su

                     root       9458 f....  bash

                     root       9462 f....  fuser
```

 Anyone knows whether this is a vulnerability and how I could close it?

----------

## revertex

Einfo from xorg-x11-6.8.0-r4.ebuild, maybe this should be helpful

```
 * Listening on TCP is disabled by default with startx.

 * To enable it, edit /usr/X11R6/bin/startx.
```

----------

## MickKi

Yes, as per my second suggestion further above.

----------

## MickKi

Looking at this issue again, I ended up confusing myself!  :Laughing: 

When I start X by running "startx", port 6000 does not open as discussed above.  However, when  I start X by typing "xinit" then X is listening on port 6000.  Same happens even when I run "xinit nolisten -tcp":

```
root      3622  0.0  0.3   2188  1232 ?        Ss   21:15   0:00 login -- michael     

michael   3671  0.0  0.4   2344  1304 tty1     Ss   21:16   0:00  \_ -bash

michael   4229  0.0  0.1   2176   636 tty1     S+   21:43   0:00      \_ xinit -nolisten tcp

root      4230  4.4  8.0  27356 25624 ?        S    21:43   0:18          \_ X :0

michael   4248  0.0  0.2   2132   924 tty1     S    21:43   0:00          \_ sh /etc/X11/xinit/xinitrc -nolisten tcp

michael   4277  0.4  1.5   8504  4832 tty1     S    21:43   0:01              \_ /usr/bin/fluxbox

```

but port 6000 is open:

```
$ netstat -an

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN 
```

Any ideas why this is happening?  (I mean why X is listening on port 6000 when launched using "xinit", but not when it is launched with "startX").

----------

