| View previous topic :: View next topic |
| Author |
Message |
n0n
Guru
Joined: 13 Jun 2002
Posts: 355
|
 Posted: Fri Aug 02, 2002 3:59 pm Post subject: X Security |
 |
|
Ordinarily, when you run X, you run programs as the user who started X, which doesn't cause any problems. You start up a browser, a file manager, an mp3 player, and all is well. Problems can arise when you try to run X programs as a user other than the one who started X, though. For instance, you might need to become root to run Ethereal, a graphical packet sniffer, or perhaps your file manager needs to be run as root. Typically, what users will do in this case is run the command: as the user who started X, and then make sure that root's $DISPLAY variable is set to something like "localhost:0.0" This solution works well, but there are some security issues to deal with which many users might not be aware of.
By default, X listens on a couple of TCP ports. This enables you to do funky things like run programs on other people's computers but display them on your monitor, and other such nifty things. This is also what enables the root user to run programs on X. The $DISPLAY variable will tell the X program to connect to "localhost" (your box) using TCP/IP, on the first X server. However, the ports that X uses to enable this communication are open to ANYONE on your network, not just your local root user. This isn't ideal, especially if you're on an untrusted network (like cablemodem, etc, although in that case you should really be behind a firewall anyway). Of course, by default, nobody's allowed to access these ports, which is what the "xhost" program does. When you run the command: It says "localhost (ip 127.0.0.1) has authorization to run X apps on this server." When you do: | Code: | | xhost +somemachine.domain.com |
You're saying that "somemachine.domain.com" can access the ports and run programs. A machine NOT in the xhost list isn't allowed. Even if you use "xhost" to lock things down, though, the ports are still open, which makes them a security risk. Also, I'm guessing it wouldn't be terribly hard to fake packets to confuse the xhost security mechanism. So what's to be done about it?
X also uses another method of communication called UNIX sockets. UNIX sockets only exist inside your box, so there's no networking involved. This makes them inherently more secure than the TCP/IP ports that X opens up. (Granted, somone who's compromised your box would be able to use the sockets, but in that case you're already in hot water.) Only users on the local box will be able to use the sockets to run X programs, which is what we want to do in this case.
To stop X from listening on the TCP ports, you can start X with: | Code: | | startx -- -nolisten tcp |
I'm sure you could modify a config file somewhere, too, but this is how I've always done it. When you do this, the ports won't be open, but it'll still use UNIX sockets. To give users access to use these sockets, you still use xhost, but instead of specifying a machine name, you do: Now any local process can connect to the UNIX sockets and run an X program. I have the xhost line sitting in my .xinitrc file, so it's run every time I start up the X server. To ensure that the ports are closed, you can use either "netstat" or "nmap."
Once this is done, just make sure that $DISPLAY is always set to ":0" (w/out the quotes) and you should be good to go. X is just a bit more secure! |
|
| Back to top |
|
 |
markwfrancis
n00b
Joined: 07 Jun 2002
Posts: 2
|
| Posted: Thu Oct 31, 2002 12:40 am Post subject: |
|
|
xhost +localhost and xhost +local did not work for me. However
and | Code: | | xhost +inet:localhost |
worked. I am on Xfree86 4.2.1. |
|
| Back to top |
|
|
Dalrain
Tux's lil' helper
Joined: 02 Jul 2002
Posts: 136
Location: Wooster, OH USA
|
| Posted: Sat Nov 02, 2002 8:36 pm Post subject: KDE |
|
|
| While this is not neccesarily X, it would be prudent to mention that users can easily run other programs on their X sessions in KDE by using alt+f2, (by default) clicking options, then telling it to run the program as root. (Or whomever) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
