Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Linux XServer Security
wearetheborg
 Posted: Jan 16 2012, 03:33 AM
Quote Post


SLF Advocate
*****

Group: Members
Posts: 352
Member No.: 18
Joined: 11-April 11









From http://plash.beasts.org/wiki/X11Security

QUOTE

The X server allows an X client to:

* Snoop on the screen by reading its contents.
* Snoop on the keyboard.
* Take control of other X clients by sending them keyboard and mouse events.
* Impersonate other X clients by using their names in window title bars.
* Discover what other X clients are running.
* Steal the input focus.
* Deny service by grabbing the pointer or keyboard or the whole server.
* Deny service by consuming the X server's resources.


Whats a realistic defense strategy?

One thing is to not enter the root password on any desktop application (including xterm).

Suppose I also want to protect the data in my home directory. If I open xterm in the same x-session as say firfox or a compromised pdf, then I am screwed? As the malware can send keystrokes to xterm?

Can javascript anyway screw me? Ie run downloaded malware files?

What is the solution? Run multiple x-servers at the same time (can be done)? Use xserver-less consoles (CTRL+ALT+F2) for entering passowords?

An example of keyloggers:
http://www.wilderssecurity.com/showpost.php?p=1740061&postcount=21

(I tried, the keylogger works sad.gif )

Related discussion:
http://www.wilderssecurity.com/showthread.php?t=280781


--------------------
PM
^
log69
 Posted: Mar 3 2012, 06:38 PM
Quote Post


SLF Member
***

Group: Members
Posts: 98
Member No.: 1325
Joined: 24-February 12









I just wrote a HowTo about sandbox that's a new feature in SL 6.x. That solves the problem in question by creating a separate X server for every sandbox'd process using Xephyr. Thought you might wanna take a look.
PM
^
helikaon
 Posted: Mar 13 2012, 03:29 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 575
Member No.: 4
Joined: 8-April 11










Hi there,
imho, if you block the X server port in iptables level and if you forbid to users to log via ssh to your box (so that they cant tunnel tcp connections) or you control what they tunnel/forward, than it's pretty safe.

Another matter would be, if you want ppl connect to your X server and you want secure X server, while ppl are connected - i dont have experience with this, so cant say educatedly.

cheers, smile.gif


--------------------
PMEmail Poster
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll