Re: X11 server connection

To: debian-user@lists.debian.org
Subject: Re: X11 server connection
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Mon, 24 Mar 2003 07:40:48 +0000
Message-id: <[🔎] 20030324074048.GK18290@ganymede>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 52168.10.10.10.7.1048489773.squirrel@webmail.linuxpowered.net>
References: <[🔎] 20030322170825.6c1311ed.nacho@imit.kth.se> <[🔎] 20030324065542.GI18290@ganymede> <[🔎] 52168.10.10.10.7.1048489773.squirrel@webmail.linuxpowered.net>

on Sun, Mar 23, 2003 at 11:09:33PM -0800, nate (debian-user@aphroland.org) wrote:
> Karsten M. Self said:
> 
> >> #export DISPLAY=localhost:0.0
> >> $xhost +localhost
> >
> > Very bad idea.  This opens your X session to any user.  If you're using a
> > truly brain-dead configuration, this means any host which can see yours on
> > the network can read or write your X connection.
> 
> I don't understand why this is bad.. I mean xhost + is usually a bad
> idea but xhost +some_address should restrict it to that one address.

Hint:  how are you authenticating your host(s)?  Do you trust DNS or
your local network?  You *don't* trust your remote network.



> of course if you have multiple users on the same machine it's a bad
> idea, my systems are generally single user(at least systems with X).

Do they allow remote connections?  You don't trust them either now.

> but I still have to resort to using xhost +some_address for systems
> that don't have ssh(it can be a real bitch to get ssh working on
> some platforms(strictly non-linux/bsd speaking).

What platform(s)?

I can pretty much guarantee that there's a client for it:

    http://www.linuxmafia.com/pub/linux/security/ssh-clients 

In particular, PuTTY for legacy MS Windows has a trivial X11 forwarding
option.

> my former employer makes a popular commercial X server/thin client
> solution, and at least at one point (not sure if they fixed it) the
> system ran by default without any access controls(xhost +), though the
> X server did not listen for TCP connections so you had to be on the
> same machine in order to do anything. I was really suprised when they
> said that, they acted like it wasn't anything bad :/ especially since
> the software was used on thin clients, usually multiple users logged
> in at once. I don't think customers ever noticed/complained even.

Post it to BUGTRAQ.  See if they (your former employer) notice.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Reform three-strikes:  stop jailing nonviolent offenders.
    http://www.amend3strikes.org/

Reply to:

References:
- X11 server connection
  - From: Ignacio Mas Ivars <nacho@imit.kth.se>
- Re: X11 server connection
  - From: "Karsten M. Self" <kmself@ix.netcom.com>
- Re: X11 server connection
  - From: "nate" <debian-user@aphroland.org>

Prev by Date: Re: [OT, FLAME] Linux Sucks
Next by Date: Implementing and mounting USB external HD on Deb 3
Previous by thread: Re: X11 server connection
Next by thread: When will Sarge become Stable ?
Index(es):
- Date
- Thread