Laurent Schneider

Maybe you have a firewall in your company, only your PC can access the production server, only you have the root password in prod, and your company spend a lot of money in security, but you dare using xhost +.

This is a huge security hole, because it gives anyone access to your X resources, not only your display, but also your mouse and your keyboard, so anyone can read/modify/corrupt what you are typing/clicking. It is a bad habit to use xhost+. Even using xhost +localhost give access to your keyboard to anyone on localhost…

So what else could you use ?

The simplest is probably ssh tunnelling.

lsc@chltlxlsc:~> ssh -X oracle@localhost
Last login: Fri Max  2 10:24:09 2007 from localhost
oracle@chltlxlsc:~> xterm -e true && echo success
success

Another way to do this is to use X cookies.

lsc@chltlxlsc1:~&gt; xauth extract ~/my-x-cookie $DISPLAY<
lsc@chltlxlsc1:~&gt; setfacl -m u:oracle:r ~/my-x-cookie
lsc@chltlxlsc1:~&gt; su - oracle -c "DISPLAY=$DISPLAY bash"
Password:
oracle@chltlxlsc1:~&gt; xterm -e true && echo success
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

xterm Xt error: Can't open display: :0.0
oracle@chltlxlsc1:~&gt; xauth merge ~lsc/my-x-cookie
xauth:  creating new authority file ~oracle/.Xauthority
oracle@chltlxlsc1:~&gt; xterm -e true && echo success
success

No need to type all. Here is my alias

alias oracle='
  xauth extract $HOME/my-x-cookie $DISPLAY;
  setfacl -m u:oracle:r $HOME/my-x-cookie;
  su - oracle -c "export DISPLAY=$DISPLAY;
    xauth merge $HOME/my-x-cookie; 
    bash"'

This entry was posted on Friday, March 2nd, 2007 at 11:02 and is filed under installation, security, linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Post to : del.icio.us - Digg it - Furl - reddit - Spurl