Linux XServer Security

[wearetheborg]

From http://plash.beasts.org/wiki/X11Security

QUOTE

The X server allows an X client to: * Snoop on the screen by reading its contents. * Snoop on the keyboard. * Take control of other X clients by sending them keyboard and mouse events. * Impersonate other X clients by using their names in window title bars. * Discover what other X clients are running. * Steal the input focus. * Deny service by grabbing the pointer or keyboard or the whole server. * Deny service by consuming the X server's resources.

Whats a realistic defense strategy?

One thing is to not enter the root password on any desktop application (including xterm).

Suppose I also want to protect the data in my home directory. If I open xterm in the same x-session as say firfox or a compromised pdf, then I am screwed? As the malware can send keystrokes to xterm?

Can javascript anyway screw me? Ie run downloaded malware files?

What is the solution? Run multiple x-servers at the same time (can be done)? Use xserver-less consoles (CTRL+ALT+F2) for entering passowords?

An example of keyloggers:
http://www.wilderssecurity.com/showpost.php?p=1740061&postcount=21

(I tried, the keylogger works )

Related discussion:
http://www.wilderssecurity.com/showthread.php?t=280781

[log69]

I just wrote a HowTo about sandbox that's a new feature in SL 6.x. That solves the problem in question by creating a separate X server for every sandbox'd process using Xephyr. Thought you might wanna take a look.

[helikaon]

Hi there,
imho, if you block the X server port in iptables level and if you forbid to users to log via ssh to your box (so that they cant tunnel tcp connections) or you control what they tunnel/forward, than it's pretty safe.

Another matter would be, if you want ppl connect to your X server and you want secure X server, while ppl are connected - i dont have experience with this, so cant say educatedly.

cheers,